Authorization tokens used to establish initial trust must have a one-time-use property. Examples include tokens for password reset, multi-factor authentication (MFA) setup, or API key registration. If these tokens can be reused, an adversary who intercepts or replays them may gain unauthorised access, reset credentials, or escalate privileges. Reusable tokens increase the risk of replay attacks, account takeover, and persistence in sensitive workflows.

A common pitfall is the misuse of JSON Web Tokens (JWTs) as one-time tokens. JWTs are inherently stateless and cannot be revoked or invalidated after first use without introducing additional state management. If a JWT is issued for account recovery or sensitive one-time actions, its reuse could allow repeated execution of privileged actions until the token naturally expires.

Remediation

• Enforce a one-time-use property for sensitive tokens in session and identity management.
• Immediately invalidate or remove tokens from the server after their first successful use.
• Use opaque, stateful tokens stored server-side for one-time workflows (e.g., password reset, MFA setup).
• Avoid using stateless tokens (such as JWTs) for one-time operations; they cannot guarantee single use without server-side state tracking.
• Apply short expiration times in addition to one-time-use guarantees to further reduce the replay window.
• Audit logs of token usage to detect replay attempts or anomalies in sensitive flows.