On this page you can set restrictions separately for users and separately for client applications. For users, set the maximum number of valid codes as few as possible. The maximum number of valid tokens is the number of user logins multiplied by the number of client applications through which the user was authorized. It is advisable for clients to set the token validity to the same value, because the standard OAuth2 libraries for client applications will only recognize the validity of the access token. If your application is used in a small enterprise, then the value of the maximum number of valid tokens = 10,000 is quite enough. If you have a massive use case, then it is advisable to increase the value to 2 * number of client applications * number of users or up to the throughput of your cluster.