Secure token passing at application level