The client fingerprint is a value based on the client machine's hardware, hashed with a key.
The client token is assigned to the client when it first registers. This is just the ID in the database.
There are two places the client is identified:
1. At login time, the server checks that the client has the expected fingerprint key.
2. At command invocation time, the fingerprint is checked first, and then the token, and if both those fail we look up the hostname with a DNS lookup of the IP address in the client request.
There are often valid reasons why the fingerprint of an A2A client's request server machine will change, new hardware, new MAC address.