Clarify the following OAuth 2.0 behaviors and communicate them in the API Portal. (This should also be clarified in the docs on Meta and mediawiki.org; see T271606.)
- When resetting the token for an owner-only client, is the old token invalidated?
- When resetting the secret for a non-owner-only client, is the old client secret invalidated? Are active access tokens invalidated?