Well the idea behind tokens is that they should be time and authZ limited. In most cases they are not so they degrade to a glorified static password.

Solutions like generating them live with a short lifetime, using solutions like oauth w/ proper scopes, biscuits that limit what they can do in detail, etc, all exist and are rarely used.