At present web service tokens are displayed as linked with web services in the 'create tokens' page (admin/webservice/tokens.php) and 'security keys' page (/user/managetoken.php)
This implies that the token is used to not only authenticate the user but to also authorize the user for this web service.

Imo, Tokens should be used to identify a person ie: authenticate , it is akin to a username/password combination.

• This way we could also control access based on the type of authentication used if there are more infuture (token or others).
• using it straight away for authorization can lead to security loop holes when considering future multiple ways of authentication.
• This could also lead to other scalability problems when many separate web services are required. How many tokens will a user need then?

There should only be a single token ever needed to be created for each user.

This token should be able to be created at anytime and reset anytime irregardless of web services linked.

The token should be reused to link to separate web services, deletion/disabling of these links to web services should not require deletion of a users token! (to resolve MDL-28670 and MDL-28126)

btw, these links should also be disabled according to other login restrictions (see MDL-28629)