This avoids the need to pass the username in the URL without
requiring the client to parse tokens.