Hi there. I’m going to paste this here as a general answer to local vs remote validation:
In terms of best practice, remote validation on every API call would be the most secure, but this is not feasible or realistic for a lot of customers. Depending on how much traffic your site gets, you could be hitting rate limits if you rely fully on remote token validation.