I am seeing similar behavior too for read API (for example get user by email api), master token and _uid are ignored when sending request. The document states that master token can be used, however it doesn't seem to be the case for all APIs.
For now @psychobunny suggested to store JSON data in the post content. This will work if the post data is filtered for client display, and read for updates when sent to the server. This can be used to maintain a separate index of objects described in posts. For example, geolocations can be indexed in its own database for optimized queries. A post might have multiple associated geolocations, or several GeoJSON "shapes".