This used without a session and issues a sessionless token, so we
should avoid causing access checks based on the session.