If your system allows temporary dev tokens, have them expire after a few hours. Force developers to re-authenticate daily.