The new viewables:read scope is available on OAuth for 2-legged authentication and 3-legged authorization. It should replace the data:read scope when sending access token to the client. It limits the access to viewable data (e.g. SVF Viewables).
Check our update sample, update your SDK and migrate your app:
Proxy
The best option still to use a proxy to secure your access token, as described in this blog post, which completely hide the access token from the client.
Developer Advocate at Autodesk since 2008, working with both desktop and web/cloud apps using top technologies, like C#, JavaScript, NodeJS and any other that can solve problems and improve workflows. See my samples on Github and follow me on Twitter for updates.