It is generally considered a good security practice to keep sensitive information in memory for as short as possible.
Currently our authentication providers pass security tokens to the network layer (via Authenticator#initialResponse and Authenticator#evaluateChallenge), but they have no way to tell when the information has been used and can be discarded. As a result, some implementations might keep it in memory for longer than needed (e.g. PlainTextAuthenticator#initialToken).
I think the best approach would be to clear the tokens in the encoding layer itself (AuthResponse.Codec#encode). We just need to document that auth providers should not cache their responses between two challenges.