Changes

Using session tokens, when the user logs out, the token is discarded by the client. However, if anyone keeps hold of the token, further API requests are still possible using said token until the token expires. In other words: a "log out" procedure doesn't really exist and can't be implemented properly. On the internet, most people mention a "revocation list" or a "black list" containing tokens which have been revoked. This makes the API stateful, because this token list must be stored somewhere. In our case, we store the session tokens in a leaf beneath the person (as these tokens are personal).

Below each person entry, we have a toke sub tree, which stores the session tokens:

<source lang='ldif'>