One-Time Client Access token to restrict usage on a single client device.

[filimonic]

Is your feature request related to a problem? Please describe.
I want to use Gotify as OTP delivery solution, alternative to SMS\TOTP\HOTP.
I want to generate QR Code for user to connect to notification app.
I want this QR Code be limited to single use, so user can not use this QR code \ Client token on other device. This ensures me if anyone will see his QR code later somehow, he will not be able to use it.

Describe the solution you'd like
I'd like some kind of option to limit Client Access token to signle use time: ex, when used, a new token is generated and force-pushed to client, so client app can update it's token internally and start using it. The original Client Access Token is deleted then.

[eternal-flame-AD]

I want this QR Code be limited to single use, so user can not use this QR code \ Client token on other device.

I don't think "token" can be limited to single client only: you can always extract your browser session and resume it on another device, you can do that on any online account.

The original Client Access Token is deleted then.

When the user logs out voluntarily the original access token should be deleted from the server as well.

I want to use Gotify as OTP delivery solution, alternative to SMS\TOTP\HOTP.

I don't see how that requires a one time access token feature? OTP second factor facilities are (understandably) usually not by themselves second factor. You don't use another one time token to login to your phone to get an SMS OTP, you also don't use another one time token to get a TOTP out of your authenticator? Could you clarify what behavior is missing here?

If you meant Gotify itself needs to support one time credentials (like scan QR code to login where the QR code itself is only valid for 60 seconds or so), I prefer to go for standardized TOTP (see #461 )