Guardian uses JWT as OAuth 2.0 access tokens. The token verification needs to happen first at the client end (optional) and later on when the client requests access to a resource using a bearer token, the issuer (Guardian authorization server) will do token verification again before giving access to the requested resource.