Today I found out about: https://tools.ietf.org/id/draft-ietf-oauth-mtls-09.html the name says it all: under it a token has to be bound to a public cert, so obtaining a token from an arbitrary place (as it happened to Heroku/Github yesterday) would not suffice to gain unauthorized access. Here's a friendly intro https://connect2id.com/blog/connect2id-server-6-13