Plug that checks for access-token in header and then checks if its expired or revoked. If it's not expired/revoked it adds the stored data from the token in meta. If it is then it returns 401 unauthorized and halts the plug by default. Can be changed. You can pass any number of arguments in keyword list format to match against the users meta obj that is stored on registration. An example use case is for role based auth.