in proposal #2, these responses would be specified statically at token creation time and would not require spinning up the app for unauthenticated requests.