Yep, that’s exactly the right approach!
As a rule, Anvil doesn’t let the client see long-lived credentials. Just because you show an image to someone doesn’t mean you want to give them the ability to download it (or give the URL to someone else). The same goes for (eg) Data Table rows - just because you returned a client-writable row doesn’t mean that client should always have access to that row. So we make all those tokens (eg URLs for Media from Data Tables rows) only valid within the session in which you returned them from a server module, and they expire when the user’s session expires.
If you want to create a long-lived endpoint giving direct access to bits of your tables, we make sure you’re doing it deliberately. HTTP endpoints is the right way to go about it 