access-tokenheader from changing after each request. Read more.
DeviseTokenAuth::Concerns::UserOmniauthCallbacksconcern, which has
#active_for_authentication?which includes confirmation check on each call (it will do it only on sign in). If you want it to be validated on each request (for example, to be able to deactivate logged in users on the fly), set it to false.
config/initializers/devise.rb. Here are some examples of what you can do in this file: