Invalidating API keys (refresh tokens) on password change or changing 2FA status doesn't make sense.
Given that ebay has very limited "multi-user"/"child account" functionality, often the account login details need to be shared with multiple users within a business - not ideal, but nothing the business owner can do about it until ebay gets it's act together when it comes to providing delegated access across the full feature set.
The official response would be - don't share credentials - but trying to push the responsibility for this bad practice on to the users is not a good enough response. If you are in a business doing millions of dollars of turnover on eBay with hundreds of staff, vesting the entire control of a large part of your core business function on a single person with access to the eBay account is both infeasible and irresponsible, you've essentially limited your business to a bus factor of 1 - if your "ebay guy" gets hit by a bus (or gets sick, goes AWOL, etc, etc) you business could literally stop functioning, not to mention that one person can't single handily manage such a large operation to begin with.
So to protect itself, businesses will likely implement a rotating password and password change when anyone with access to the ebay account leaves, making up the shortfall for the non-existent/unusable delegated access.
If your business is large enough, you are going to rely on ebay APIs for a large number of critical business functions such as listing products via a PIM, importing and fulfilling orders from an ERP/WMS, handling customer enquiries with a CRM - this means eBay may be talking to 3+ business critical systems.
Changing the password invalidates the API key/refresh token and results in all of these business critical systems being disconnected.
To use an analogy, it's like if you had to buy a new fleet of trucks every time any one of your drivers quit. It sounds ridiculous on the face of things, so why do we have to put up with such a bad design decision in the eBay APIs?
