I think it may be too easy to create an unlimited token by mistake. by hitting the Return key midway through the creation of a token, I was able to create a token that applied to all nodeIds and sourceIds without expiry. I think maybe the default should be that it's not active, if you don't specify some details about nodeId, sourceId and Expiry. I found the token and deleted it but it made me wonder whether this could pose a security risk later.