Working on expiring tokens for the WordPress IndieAuth endpoint. This would be a breaking change, as currently, tokens issued by the endpoint never expire. This is a security concern, if you keep issuing tokens without ever expiring them. With the new system, you can renew a token, or even disable expiry in the admin if you need a long-lived token. There is a way to have the client get new tokens regularly that I could implement, but currently no client supports it.