ok, let me explain the use case: a user authenticates against auth0 but authorization happens in-app. When I get a token from auth0, I want the user to send that token to the app, and the app validates the token. How can my own server validate the opaque string access token? (JWT is straight forward, but what with opaque strings?) Can the server just make the call to the /userinfo endpoint (with the access token in the header)? If not, how to validate that opaque string properly?