The access token you get from your account page allow you to makes queries on the Trefle API, but you token needs to be kept secret, so you can't make queries from the browser as the user on your website will see the access token, and could use it for his personal uses.
If you need to perform client-side requests, you will have to request a client-side token from you backend, and get a JWT token in return. This token will be usable on the client side. This call need you secret access token, and the url of the website the client side requests will come from.
As this is a POST request, it can't be done directly from the browser.
And we got:
You can then use this token directly from the browser. It can't be used from another origin, will expire and only works for your website.
About the user IP
Putting the user remote IP in the claim API call is optionnal, but it provides an additional security layer. We don't keep or store this information.