[ars]

They manage to distribute your password everywhere don't they?

IMO every auth key should always be hashed with your password (or its hash) - changing your password should automatically revoke every auth key even if you don't do it manually.

[stable-point]

When generating auth tokens for Django apps, I've previously put the user's password's salt into the token for this purpose. The salt is not secret and changes whenever the password changes.