Hey Max - what you mentioned is a possible workaround. I was also going to suggest potentially moving some of your API logic to Realm Functions where you have confirmation that the user is authenticated and valid.
We have gotten multiple requests for an API method that validates an access token. I can’t give a definite date but we’re actively investigating and looking into releasing this. I can post here with any updates.