Storing the token on the server is a requirement to make client-server authentication possible. I would expect that it is allowed to be stored on a server because it does not contain any secrets or so.