the generatetoken API reference shows that only the referer value is supported even if there are other values(ip address and requestip) can be choose. If the ip address and requestip are supported, it should be useful. And according my understanding, the referer value is not really used to verify website's referer. Is there any reason?
"The referer value only supported for generating token" looks like by design. Here is the web help from Rest API:
It also states the same:
The client type that will be granted access to the token. Only the value is supported. In the Generate Token page, select the Webapp URL option to specify the referer.
You can log this idea of "including IP address or request IP for generating token " to Esri Idea site as per below and also log an enhancement request by logging a case with Esri Support Service. Esri developers are very active on ideas site.