Requests made for the demo don't have an access token. On the back end I look for this case, and then see if the request has "when" and "encrypted" parameters. "when" is just a date/time stamp, and "encrypted" is the same thing..encrypted. If I see both those params, I decrypt the "encrypted" and make sure it matches the "when" to validate the server created it, and make sure the "when" is less than one hour.
Otherwise, all requests require an access token.