For short lived tokens I was going to check against the user yes. It's reasonable to say I won't add these special restricted tokens for short lived. If I insert relationships, I think I can figure this out. I just want to be able to make tokens that can only perform a subset of actions the user can. An example being a read-only tokem