#gRegorLoveWell, not sure I set up my token the "best" way, but it was an if/else: if POSTed 'code', perform all the auth checks, else validate Bearer token. I just added another condition at the beginning: if 'code' and 'grant_type=authorization_code'