For "getting-started" simplicity all Realtime application keys have the security module (authentication) turned off by default. 

This means any authentication token will be considered valid and all permissions are granted (read/write and get presence data). That's why you are able to connect using any token.

However before you deploy your app to production, you should consider activating the authentication module to secure your channels.

You can find all about the Realtime security features at

Did this answer your question?