// 20 characters are necessary
I can interpret this question in many ways, please give us insight in your architecture. For example, what do you mean with ‘severless app’, when using serverless functions your user will not receive access to that secret. Are you calling Fauna from the frontend and are worried that the user will grab the token and do different calls?
Yes. This is because the key must be stored in the application. I am asking, what stops the user from taking this exact key and making their own requests using it?
A HTTP request to Fauna could be intercepted by the user, and altered, for example.
The short answer is, nothing stops the user from doing that as long as that query is within the privileges that were defined in your roles, but you can stop the user by writing User Defined Functions (UDFs) and only allowing these to be called.
If you are concerned about the security aspect of having a token in the browser, there are long forum posts on that topic that could help you further.