Token generation uses UUID v3 and UUID v5

[hotab]

Internally, token generation uses UUIDv3 and UUIDv5. RFC4122 recommends against using them as security credentials.

Ref: https://en.wikipedia.org/wiki/Universally_unique_identifier#Versions_3_and_5_(namespace_name-based).

Additionally, after generation they are base64-encoded and converted to uppercase, reducing entropy a bit more. Generically, according to https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Session_Management_Cheat_Sheet.md#session-id-entropy, the token will have entropy below the recommended minimum.