Most apis work like this. Even though you are requesting public data (ie Imagine Dragon's instagram feed) they want to know who is making the request. They are probably tracking it to make sure no one is making a billion calls a day or something.

According to: Instagram Developer Documentation

The API call you are trying to make requires an access_token at all times. This is usually done to prevent bots which continously crawl through recent lists to fetch images and such. The only way Instagram could prevent this is via this access_token approach. Once you have the token, you are able to browse through any user's feeds as you would be able to do it on the webpage of the respective user. If you don't want the user to login to see a certain recent list, you could register a dummy account with Instagram, log that in once, and store its access_token, bundle it with your application and you will be able to request the recent feed without prompting the user to login. I am sure that this isn't an accepted way of solving this problem, mainly because according to the documentation the access_token might change at anytime, making your application nonfunctional. Of course, there are solutions even to this scenario. To summarize, I think if you want to request such a data without an access_token, try my 'solution'.

The token is required so the API cannot be accessed anonymously. Instagram photos are public unless the user has explicitly set their account to be private. Therefore, it is normal to be able to access the feeds of any public user account with a single valid token.

A token does not circumvent users' settings. If you try to access an account that is marked private you won't get any results and instead receive this response:

{"meta":{"error_type":"APINotAllowedError","code":400,"error_message":"you cannot view this resource"}}