I have a question here. You mentioned

We build in other challenges that proves that Bob knows a registered secret (which only he knows), that can only be generated by Bob. There are many zero-knowledge proof (ZKP) methods that Bob can show that he knows a secret when challenged, and that he and the token provider have agreed on. A few ZPF methods are outlined here: https://asecuritysite.com/encryption