The purpose of the challenge token is not to be secret, it's to prove that the subscriber can place arbitrary content at a specific URL, demonstrating control of the domain.
@anon95262142, there was another recent thread discussing this, but the short answer is that the BRs require that challenge tokens contain some randomness or a timestamp.