[ncallaway]

Which, like, if posting random keys has any realistic plausibility of collision, malicious revoking of keys is the least of your concerns.

People could just hit important data fetch endpoints with random keys, until they find one that’s good, and then have a compromised account.

[makeitdouble]

Good point. Presented that way I am seeing more positives to their policies, in particular if a vulnerability was unearthed by the invalidation quirk it's a way better way to find out than any other way.