The manage token page allows a user to revoke webservice tokens and rss tokens:
But there are other token types that are broadly equivalent or worse in risk profile to rss tokens. So proposing that this page show all tokens, their ip restrictions and expiry and where you can revoke them all.
There could be some sort of callback or auto loaded class so that a core component or a plugin which uses login keys can easily augment the behavior, eg maybe it could declare that keys can be revoked but should not be visible, or declare a link to . All of the rss specific logic should be moved to use this so it's just another type of managed token with no special priority.