Glaring security hole with the code [here](https://github.com/mrsheepuk/ASPNETSelfCreatedTokenAuthExample/blob/master/src/TokenAuthExampleWebApplication/Controllers/TokenController.cs#L33) means that if anyone compromises a single active token, they could remain logged in forever, even if the user changed their password or "logged out". To fix this, [refresh tokens](https://auth0.com/docs/refresh-token) must be implemented, which can be revoked.