...
A user must be able to issue multiple refresh access tokens
A user must be able to view metadata about their active tokens, e.g. scope, a custom name/identifier
A user must be able to revoke an individual access token
Generated access tokens must use scopes as defined in the OAuth 2 implementation
Generated access tokens should only expire if unused for 180 days or manually revoked
From the perspective of a client application, access tokens must be “stateless”, i.e. they are not single use or rotating
Generated access tokens should be bearer tokens
A password/session token must not be required to use an access token
It should be impossible for any actor to determine the token other than the issuer at creation time (i.e. store a hash).
...