I may be silly but why would you ever want to validate the structure of an opaque authentication key? Couldn't you just hit an harmless endpoint (e.g. /rate_limit) to see if it returns 401 or not?