To quote Anton B 's answer from the question How to use tokens for API authentication?
1. For authorization, the user enters a login password, the device sends them via https to account / auth
2. account / auth issues a token (token_id: token_val) and secret
3. the device sends all further requests via http specifying a token and signing requests using secret
How it works .
The server receives the request, sees that the token has arrived, splits it with a colon into input_id and input_val. Selects a token from the base with the received input_id, gets the value of token_val and secret from the base. Compares input_val and token_val. If there is a token with the required id in the database and the values ​​of val are equal, it's time to check the validity of the request.
The client, in addition to the token, passed sign (signature), which was formed in the following way (for example) secret+api_path+query_param. On the server side, you know api_path and api_param, and secret is chosen from the database. Hashing the signature is accepted via hmac().
In addition to the token and signature, you can pass time and also put it in sign, and on the server side, cut off requests for requests that are more than 60 seconds.
Thus.
If someone is listening to your channel, they will not be able to forge requests (and therefore compromise), and due to the request lifetime check, they will not be able to forever receive data on a request once intercepted.
And you can store tokens in the database until the client himself requests their destruction and save the time of the last access through the token, and delete tokens that have not been used for more than 60 days.