Unless those 10 million users are all active on your platform at the same time, you don’t need to check the validity of their token. When they’re actively using your app you need to ensure that they haven’t revoked the token some time between logins, if they’re not currently using your app then you can send them through the OAuth process during their next login to ensure it’s valid at that point.