Comment 23 for bug 1215627

Is there any architectural information about how tokens should be used? I found docs for the APIs, but I'm looking more for usescases and best practices about using/handling tokens.

It may be a little late now, but I would have loved to see tokens not be stored at all. Instead just the grant and an optional expiration on the grant. Grants can then be used to create new tokens. If a grant is revoked all associated tokens are revoked. tokens would have their own expiration date that is likely shorted than that of the grant (except in the case where a grant will expire). This is similar in concept (I believe) to some large scale OAuth deployments.