Currently this is down to client, but the timeout of token should also be enforced by server side causing an Invalidate()
Currently this is down to client, but the timeout of token should also be enforced by server side causing an Invalidate()