Sorry I was unclear. The issue is that the webapp2 authorization tokens have a default expiration of 3 weeks, but there's no mechanism to delete them after that. The result is the database "UserToken" table fills up with old auth tokens.
The answer, then, is to make a cron job delete old tokens occasionally.
See a lot more detail here.
thanks