The calendar export tokens are deterministic based off the users password and a shared password salt.
This has a few downsides:
1) if you change your password then all your calendar links break which probably wasn't intended and isn't how other apps work. eg private Google calendars links don't break when you update your google password. There is no warning about this anywhere on the calendar export page, or on the password reset page.
2) You cannot revoke the token without changing your password
3) if you use an external auth like saml / oidc then your password is null which means you cannot revoke your calendar token at all if it is compromised
So proposing to just migrate these tokens to use the same create_user_key / validate_user_key as the rss feeds and other places do. On top of that these keys, and all other user keys, should be manageable in a generic way so they are revocable in a single place along side the rss tokens, see MDL-73088.