I guess it would be easier to use a JWT here: generate a random key at the beginning and use that key to sign/encrypt JWT issued to clients. This way we can remove the global state validTokens which will make unit testing easier and we also don't need to care about token cleanup. The JWT RFC already defines an "expiresAt" field so we don't need any global state to verify if a token is valid or not.

If we start issuing long-lived API tokens JWT would also be a better choice because we can simply store the signing key instead of tracking each and every token.

Originally posted by @ppacher in #55

This might be re-evaluated later when we better know which final requirements we have.

Closing as part of a cleanup.