So once you log in through the API, you get a user authentication token. This token, if fed into the header of an “Update post” API call, will update any post you’ve made when logged in. All you need is the post’s ID, whether in an anonymous post or blog, and you’ll be good to go.
You could definitely this store authentication tokens in posts using HTML comments but I would advise against that. All anyone has to do is grab your post via the API or put a .txt extension on your post’s url and they’ll grab that sensitive data. Take the above post as an example: https://write.as/s2ksz14cdr5eet2f.txt
If you want to update posts, I’d recommend keeping the authentication token in the app itself as a variable and not in your posts. Keep the business logic in the app and only use the API to grab the post’s body (which will only contain the data and no authentication tokens).
Does that make sense @nibl?