Which statement is true about token revocation and reissuance?

When managing tokens, revoking the current credential before issuing a replacement is the standard approach to prevent abuse. Revoking marks the active token as invalid so that services validating the token will reject it, and the new token becomes the only valid credential. If you reissue without revoking, the old token remains usable for a while, creating a window where both tokens could be accepted and could be misused if the old one were compromised. In secure systems, revocation isn’t optional—you rely on revocation lists or status checks to invalidate tokens that should no longer be trusted. Reissuance isn’t typically automatic; it’s a controlled process that occurs in response to a request or policy, coordinated with revocation to ensure the old token can no longer be used.