Comment 4 for bug 316733

I'm not sure if I entirely understand this whole OAuth and access-level system and I'm also no security expert. But in my opinion this is a typical usecase for the "write-private-data"-access-level, so a user would only be able to see/change his own tokens. Similar to the Web UI, where you also can only manage your own tokens.

In case I'm missing something, your last suggestion sounds perfect to me.

Markus