Currently only access tokens issued by the POST /refresh endpoint include an expiration (exp claim). This should be extended to all access tokens issued.
Access token expiration is not currently checked, but should always be.
- All access tokens should have an expiration
- Authorization should validate that the provided access token has not expired.