I noticed that it’s required for the user to supply their username password to delete a token. I’m building an app that will allow the user to login/logout. Right now on login I’m only storing their access token (after authenticating with their username/password). When they logout I want to destroy that token. But according to the docs, I need their username and password.
If it’s assumed that the access token is totally secure and unguessable, then why do we need additional credentials to delete the token? It seems strange to ask a user for their credentials again in order to logout.