there is no password protection of the API Link created here.
The API link is/contains the password. Using a second password would only increase security so far that the password becomes longer. Yet, the length should be sufficient already.
How probable is it, that a third person (e.g. a hacker) may find those links?
The probability is very much the same like finding a password. Actually, the risk is a bit lower, because the automated generation of the links does not allow for easy-to-guess passwords ;)
However, if you have a trojan on your PC (what hackers usually use to infiltrate computers and companies), a link and a password are equally insecure. You would need a two-factor-auth with a hardware key then. But given an infiltrated PC, even that would be of limited value, as the attacker would still be able to download any data via the infiltrated system.
Wyh am I telling that? Hacking the URL is by far not the weakest element in the chain. If your data is hacked, you can be quite sure, that it was not the URL that was hacked.