The devise_token_auth docs say that "Tokens should be invalidated after each request to the API." https://github.com/lynndylanhurley/devise_token_auth/blob/master/docs/conceptual.md#about-token-management
But why? What is the risk if tokens are not invalidated after each request? For example, what if a token is valid for a minute or two after the request? Or, if a token stays valid for a week or two?
The token generated by devise_token_auth is a credential token: it sums-up your login and password; so with this only string, you can identify oneself on your app.
To be the most secure, you have to invalidate this token as fast as possible: for as long as the token is valid, someone can use it to access your precious bacon.
Invalidating a token on each request of a user is easy: each time I talk to you, you, I give you my current token, when you answer, you give me a new one that allows me to continue talking to you.
But using another mechanism will cost you: each time I talk to you, I'll give you my token, you'll have to make calculations (=> CPU) to check how long since I last spoke to you (so you also have to store (=> Memory) that information).
That's my understanding of the reason
