You would have access to my server token, certainly. But I checked the documentation and in order to request rides, I think you would need other pieces of information that I did not expose. Additionally, there are various scopes that Uber grants regarding the API exposure that any application has.

I think / hope that the worst damage that can be done is hitting Uber's rate limit.

Definitely not defending my decision to include the server token, but I don't think it's the end of the world (just terrible practice).