I wanted to add this as part of #24 but ran out of time.
I think it's important to do this because the middleware can be absent and the service will appear to work just fine, but in fact will be less secure than ideal because it won't be paying any attention to access token expiration.
