as soon as he does a delete on his API session, the token is invalid and can't be used.
Hopefully the URL itself isn't public facing ... and doesn't seem so.
Lastly, there is a dedicated API forum here: http://communities.vmware.com/community/vmtn/developer/forums/vcloudapi