Token management and security

Hi folks! What is best practice for managing tokens used by developers locally? We use environmental variables, I’m assuming we should generate a new token for each developer so that if their machine is compromised then we just need to revoke one token, without needing everyone else to then update to new tokens. Or is there a better way to allow local development without sharing tokens? Thanks a million!