- Set up tokens or something so clients can't trivially
impersonate servers