How does the frontend know the token has expired? By maintaining the expired_at or expired_in sort of a thing? Also a similar thing should be in place for refresh tokens?