diff --git a/services/identity/src/client_service.rs b/services/identity/src/client_service.rs
--- a/services/identity/src/client_service.rs
+++ b/services/identity/src/client_service.rs
@@ -14,6 +14,7 @@
     SenderKeysForUserResponse, UpdateUserPasswordFinishRequest,
     UpdateUserPasswordFinishResponse, UpdateUserPasswordStartRequest,
     UpdateUserPasswordStartResponse, UploadOneTimeKeysRequest,
+    VerifyUserAccessTokenRequest, VerifyUserAccessTokenResponse,
     WalletLoginRequest, WalletLoginResponse,
   },
   database::DatabaseClient,
@@ -142,4 +143,11 @@
   ) -> Result<tonic::Response<Empty>, tonic::Status> {
     unimplemented!();
   }
+
+  async fn verify_user_access_token(
+    &self,
+    _request: tonic::Request<VerifyUserAccessTokenRequest>,
+  ) -> Result<tonic::Response<VerifyUserAccessTokenResponse>, tonic::Status> {
+    unimplemented!();
+  }
 }
diff --git a/shared/protos/identity_client.proto b/shared/protos/identity_client.proto
--- a/shared/protos/identity_client.proto
+++ b/shared/protos/identity_client.proto
@@ -57,6 +57,12 @@
   // Rotate a devices preKey and preKey signature
   // Rotated for deniability of older messages
   rpc RefreshUserPreKeys(RefreshUserPreKeysRequest) returns (Empty) {}
+
+  // Service actions
+
+  // Called by other services to verify a user's access token
+  rpc VerifyUserAccessToken(VerifyUserAccessTokenRequest) returns
+    (VerifyUserAccessTokenResponse) {}
 }
 
 // Helper types
@@ -299,3 +305,16 @@
   string accessToken = 1;
   PreKey newPreKeys = 2;
 }
+
+// VerifyUserAccessToken
+
+message VerifyUserAccessTokenRequest {
+  string userID = 1;
+  // signing ed25519 key for the given user's device
+  string signingPublicKey = 2;
+  string accessToken = 3;
+}
+
+message VerifyUserAccessTokenResponse {
+  bool tokenValid = 1;
+}