Plug that checks for access-token in header and then checks if its expired or revoked. If it's not expired/revoked it adds the stored data from the token in meta. If it is then it returns 401 unauthorized and halts the plug by default. Can be changed. You can pass confirmed: true on the plug to only auth if the users email has been confirmed.