> Blocking said search indexes is probably a good thing.

I feel like "we should ban all search engines" is going to be pretty unpopular.

> And when you use a token the site gives back a session key

And then you have a session key, until you don't, because you signed out of that account to sign into another one, or signed into it on a different browser or device etc.

> The server that issues the tokens restricts the number of uses of the credential.

Suppose I have a device on my home or corporate network that scans email links. It's only trying to filter malware and scams, but if a link goes to an adult content barrier then it needs tokens so it can scan the contents of the link to make sure there isn't malware behind the adult content barrier.

If I only have a finite number of tokens then the malware spammer can just send messages with more links than I have tokens until I run out, then start sending links to malware that bypass the scanner because it's out of tokens.