Does the ServiceAccount token need to remain secret?

In a pod, a ServiceAccount token will be auto-mounted to /var/run/secrets/kubernetes.io/serviceaccount/token. There are some blog articles that suggest using ServiceAccounts to perform service to service authentication.

Those articles basically suggest sending the unmodified token to the service being called as an HTTP header. The called service can then implement validating the callers identity using k8s.io/api/authentication Go API.

But doesn't the token need to be kept secret? Naively I'd think that the called service can misuse the token to impersonate the calling service (by making API calls using its token).

Is this a legitimate concern? Or is there something build into K8s that makes sure only the pod into which the token has been mounted can use it to make API calls?

A few folks basically answered the question but used comments. So let me answer the question myself.

The token can be used to impersonate the service sending it. It can even be used outside the cluster to authenticate to the API.

There also doesn't seem to be machinery in the K8S API to use public key mechanisms, to avoid having to reveal the token.

Overall, sending the token to anyone else seems like a really bad idea. I would advise not to use the approach outlined in the blog post linked to in the question.