Yeah implicit auth will jsut return the token, scopes and state in the # iirc.
So to get expires, you’d hit the validate endpoint, the usual assumption with implict is if the token is dead, you just bounce the user to the oAuth link and they auto come back, so most users wouldn’t notice the new token being made. Or the page/session/task doesn’t last long enough to even warrent storing the token in localstorage anyway. (Generally speaking)