It would be useful for downstream applications to derive the username from a provided token. This can serve to either:

1. Not require the user to enter a token at all in the first place, or
2. Verify that the username provided by the user actually matches the token provided.

Right now there's, AFAICT, nothing in place to prevent an app listening to one account and then (trying to) fetch listens from another account.