So I've made some tweaks here:
http://xenforo.com/api/
I've added a mention of regenerating tokens if you wish, but that there's a trade off. I've added a clarification of expectations if you ask for tokens from people. I've also added a set of best practices.
One of the key best practice options involves asking the person supplying you with a token to put something on the domain that matches the token, like Google Webmaster Tools. You can use this to verify that the token actually belongs to them. Obviously, it's up to people to implement that step though.