Bearer tokens are a dead end? You have to validate them anyway so traditional auth is the fallback.