You get an access_token after first connecting to the api with username/password - give them that instead, That still gives full access to the car (apart from being able to start it) but at least they can't change your account details with it and you can revoke it by changing your password as normal
I've developed a Drupal 8 connector module and my team of developers at my office wants to work on it and create a Vue or React front end to the app. I just don't want them honking my horn or opening my doors all hours of the night. I'd love it if there was a dummy token or something that could be used that just sends a "command valid" or some kind of console log. I could probably create one, but I'm not sure how to validate the command without executing it.