The specification for OpenWebAuth has just been updated to encrypt generated tokens in transit. Anybody interested in or following this specification is urged to review the updated document.

https://macgirvin.com/wiki/mike/OpenWebAuth/Home

Hubzilla 2.8 uses the older plaintext token (should still be fine assuming you're using SSL). These are still supported currently, but going forward unencryped tokens will eventually be deprecated.