Hi Terence, Great to hear these thoughts. What approaches do other OAuth providers take to this problem? Revoking all OAuth tokens on a password change/reset takes away a good chunk of the value that many people get from using OAuth. Maybe making 'revoke all' an option for users after a password reset would improve the situation.