Tokens may also be uncopyable. This may be implemented by incorporating some kind of user-id (like an IP address) in encrypted form. It means that the right to access cannot be delegated. Tokens may also be transferable without being duplicatable, like the stones in a StoneSociety?.
This kind of access control is more fine-grained than AccessLevels or AccessControlLists?. We can think of languages like Smalltalk or Java as being capability systems, with the object references acting as tokens. You can't use (ie send a message to) an object unless you have a reference to it.