How to mask the sessions of openziti api requests

Currently , I'm using password auth , but even if we use cert will still have to pass sessionID at every requests .

We don't want our users to see in network requests and able to access to controller .

Could think of adding firewalls , security rules but we give jwts for user to bring their routers so request can come from anywhere .

So question is how do we mask the information and make it more tight when sending requests .

By answering with the approaches please paste implementation guide link

Ziti identities may or may not have the administrator privilege. Ziti identities may authenticate with a password or edge enrollment certificate or another identifying document from a trusted provider, e.g. OpenID Connect.

However the identity authenticates, it receives an API session token. It's expected that the identity has access to that token because it represents the identity.