Currently, I see users with hundreds of user_auth_token rows. Is there no limit to this? soon they will reach to thousands and the database would be too big.
This should not be the case, we only expect one per device, we do clean this up regularly (any ancient ones get deleted)
They should be how much old to be candidate for deletion? Cause I see some rows from 2017.
max api keys per user: set to 10
expire user api keys days set to 180
Both in site settings, are you sure you are not talking about user api key log table?