Currently mobile clients assume OAuth token will never expire and they never invalidate cached access token when something goes wrong. If a user revokes the app's permission remotely while the app is on then the app might have undefined behavior until the user relaunches the app.

If a request is signed but still fails with a 401 error, then it could mean that the token is invalid and we should clear the cache in that case.

This affects Android client and the open source variant of iOS client. The official iOS client doesn't cache OAuth token.