FWIW, you will not find the token listed by `gh auth token` in any PAT settings screen. Those tokens are hidden/excludsive to the OAuth app & they don't get revoked when you run `gh auth logout` or `gh auth refresh`. You must revoke the app to kill them.
That's scary
Yea - you can test it yourself (see screenshot attached). I believe there's roughly a ~10 token limit per OAuth Authorized App where they'd then start to popping off after that (so just run `gh auth refresh` 10 times & you're good 😉). Again, no UI/UX that lists these tokens from GH (no API either).
