Adding this additional point of failure here doesn't seem to generate meaningful value, since you can accomplish the same thing by storing the access token as an HttpOnly cookie. As a matter of fact, this is exactly how Authress protects tokens, with the added benefit of no additional services in the middle.