I use the gem devise_token_auth while developing an API for a mobile app.
Authors claim that:
Tokens should be invalidated after each request to the API.
This behavior is enabled by default. Can someone explains why?
The perfect answer will contains all the mandatories security mechanisms of this authentification method. Each one will be justified with the name of one associated attack. A special consideration must be given to the token invalidation.