For short lived tokens I was going to check against the user yes.
It's reasonable to say I won't add these special restricted tokens for short lived.
If I insert relationships, I think I can figure this out. I just want to be able to make tokens that can only perform a subset of actions the user can. An example being a read-only tokem