Thing should change as Spark evolves.
1.) The concept now is that the devices are tagged to your account and the control of the tokens are by the user
2.) The tokens expire every 90 days
3.) Removal requiring username/password sound appropriate since you don't want people to revoke your access_tokens without any verification. Of course, i understand having a mechanism to do so on the user side with an access_token would be cool!
I'm imagining something like a 1 time release using the same access_token to revoke the access token.
curl https://api.spark.io/v1/access_tokens/121e21ex1ex1x?access_token=121e21ex1ex1x -X DELETE
Maybe @Dave has more idea