[1][2][3][4] Though associated with a single account, multiple PATs may be created, and can be manipulated independently of the password associated with that account, including creation and revocation of PATs without altering the password.
The PAT is usually generated automatically by the remote system — for example, as a string of 52 alphanumeric characters.
Typically, permissions may also be adjusted for each PAT individually, allowing or restricting access to certain classes of data or functions on the remote system.
This can be a useful form of delegation of authorization, for example, when creating programs that will access the remote system.
If the token is a JWT token it can use the exp[5] claim to declare a expiration time and the jti[6] claim to declare a unique identifier for the JWT which can be used to revoke it.