Part of the problem is that our backend services don't know the token -- it's a secret that we don't pass around, instead we rely on authoratative headers that gives us (1) user ID, (2) app ID, (3) user permissions.
I think I really want to ask a question, Does user X calling from app Y with permissions set Z have access to Entity A