Why doesn't it provide a simple method of using a rest API to validate the limited token for the server side, rather than requiring us to learn about the encryption algorithm to evaluate it ourselves?