One final question for now, checking if I understand this correctly: If I use the managed service, I would technically only be talking to your service when the backend realises that the access token has expired, and needs to exchange the refresh token for another access token - this means that I incur the penalty of a network call (for auth) once every 30mins or 1hr or so.