Where are you looking at this URL?
If the service is secured (not shared with everyone), accessing it will require a token. This is what gives access to the service. For hosted services, if you are signed in, this token is passed automatically. However, sometimes you can see the token as part of the URL.
Having said that, you never want to share the URL to your rest service with a token, or add it to a web map via URL that way. This is because tokens are short lived and expire and the URL will quickly be invalid. Each client application can get their own token by forcing the user to sign in.
Mike
You never want to create an app that references a service with an embedded token. Tokens are not meant for this kind of use. It's not secure. Plus, tokens become stale quickly. Instead you should write the app and have the app request a token based on valid user credentials.
Mike
I'm not sure we're talking about the same thing... Tokens and SSL are really two separate things.
ArcGIS Online uses tokens to provide access to services. When a client requests access to a service, the service challenges the client for credentials. The client provides the credentials and gets a token back that the client then uses to access the secured service. SSL provides a higher level of security for communication across the internet. THus, turning on SSL will make your site more secure because of the secured transmissions, but it is not necessary to simply restrict access to your services.
It seems like you are writing your own JavaScript (?) web application that accesses the secured services over HTTPS? What browser and version are you using? Is your application also running over https? If not, and you are using Internet Explorer, try using Chrome or Firefox to run your application. They better handle http to https communications. Alternatively, you'll probably be better off writing your application to run over https.
Are you using the IdentityManager to prompt for a username and password?
Mike