You can definitely do that, but I believe the best practice is minimize what you add to the token: restrict the token to authentication / authorization data, and query an API for everything else, though it depends as well on how much data you are adding to the token.