When a new token is generated: by logging in with something like this:
curl http://127.0.0.1:24000/users/login -d "username=name&password=123"

You get a token for the auth to use the Rest API.

When i login in again to get a new Token, the old Token is still accepted as valid.

Shouldn`t the old token not be replaced by the new Token or set as invalid?

Come to think of it... the auth / login stuff is done by which package (is it https://atmospherejs.com/simple/rest-accounts-password ? ) ?