Make Automated Token Reuse detection optional

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Problem to solve

According to Automatic reuse detection documentation, it sounds like if a revoked token is used, this causes the deactivation of a currently active token. 

If an attacker somehow obtained a rotated token, they can call the rotate endpoint, and revoke the currently active token, which will break the API integration.

Proposal

Make the revoked Access Tokens' Automatic reuse detection optional, and make an audit event detecting the re-usage of an inactive token, this will allow customers to perform manual action on finding the leakage.