diff --git a/services/tunnelbroker/src/identity/mod.rs b/services/tunnelbroker/src/identity/mod.rs
deleted file mode 100644
--- a/services/tunnelbroker/src/identity/mod.rs
+++ /dev/null
@@ -1,41 +0,0 @@
-use client_proto::VerifyUserAccessTokenRequest;
-use comm_lib::auth::is_csat_verification_disabled;
-use grpc_clients::identity::{self, PlatformMetadata};
-use grpc_clients::tonic::Request;
-use identity::get_unauthenticated_client;
-use identity::protos::unauthenticated as client_proto;
-
-use crate::config::CONFIG;
-use crate::error::Error;
-
-// Identity service gRPC clients require a code version and device type.
-// We can supply some placeholder values for services for the time being, since
-// this metadata is only relevant for devices.
-const PLACEHOLDER_CODE_VERSION: u64 = 0;
-const DEVICE_TYPE: &str = "service";
-
-/// Returns true if access token is valid
-pub async fn verify_user_access_token(
-  user_id: &str,
-  device_id: &str,
-  access_token: &str,
-) -> Result<bool, Error> {
-  if is_csat_verification_disabled() {
-    return Ok(true);
-  }
-
-  let mut grpc_client = get_unauthenticated_client(
-    &CONFIG.identity_endpoint,
-    PlatformMetadata::new(PLACEHOLDER_CODE_VERSION, DEVICE_TYPE),
-  )
-  .await?;
-  let message = VerifyUserAccessTokenRequest {
-    user_id: user_id.to_string(),
-    device_id: device_id.to_string(),
-    access_token: access_token.to_string(),
-  };
-
-  let request = Request::new(message);
-  let response = grpc_client.verify_user_access_token(request).await?;
-  Ok(response.into_inner().token_valid)
-}
diff --git a/services/tunnelbroker/src/main.rs b/services/tunnelbroker/src/main.rs
--- a/services/tunnelbroker/src/main.rs
+++ b/services/tunnelbroker/src/main.rs
@@ -5,7 +5,6 @@
 pub mod error;
 pub mod farcaster;
 pub mod grpc;
-pub mod identity;
 pub mod log;
 pub mod notifs;
 pub mod token_distributor;
diff --git a/services/tunnelbroker/src/websockets/session.rs b/services/tunnelbroker/src/websockets/session.rs
--- a/services/tunnelbroker/src/websockets/session.rs
+++ b/services/tunnelbroker/src/websockets/session.rs
@@ -9,6 +9,8 @@
 use lapin::message::Delivery;
 use std::sync::Arc;
 
+use grpc_clients::identity::unauthenticated::client as identity_client;
+
 use reqwest::Url;
 use tokio::io::AsyncRead;
 use tokio::io::AsyncWrite;
@@ -16,10 +18,11 @@
 use tracing::{debug, error, info, trace};
 
 use crate::amqp_client::AmqpClient;
+use crate::config::CONFIG;
 use crate::database::{self, DatabaseClient};
+use crate::farcaster;
 use crate::farcaster::FarcasterClient;
 use crate::notifs::SessionNotifClient;
-use crate::{farcaster, identity};
 use tunnelbroker_messages::farcaster::{
   FarcasterAPIRequest, FarcasterAPIResponse, FarcasterAPIResponseData,
   FarcasterAPIResponseError,
@@ -94,10 +97,20 @@
 
       // Authenticate device
       debug!("Authenticating device: {}", &session_info.device_id);
-      let auth_request = identity::verify_user_access_token(
+
+      // Identity service gRPC clients require a code version and device type.
+      // We can supply some placeholder values for services for the time being, since
+      // this metadata is only relevant for devices.
+      const PLACEHOLDER_CODE_VERSION: u64 = 0;
+      const DEVICE_TYPE: &str = "service";
+
+      let auth_request = identity_client::verify_user_access_token(
+        &CONFIG.identity_endpoint,
         &session_info.user_id,
         &device_info.device_id,
         &session_info.access_token,
+        PLACEHOLDER_CODE_VERSION,
+        DEVICE_TYPE.to_string(),
       )
       .await;