u/TomaTomov wrote (the comment Michael replied to):
Thank you! I am pretty sure it's tremendously more complex. But still glad that I took the correct road. Thank you again!
u/michaelnovati replied ·
One quick clarification, but an OAuth access token will have the expiry date in it, and it will be signed by the server when the token is CREATED to approve that expiry date. From that point forward, if you can verify the "signature" on the token, you can trust the expiry date, without asking a server!
It's possible that if you say, blocked the user from a service, and they tried to use the token, the service would do additional checks beyond verifying the token (this depends on your specific application)