Just curious, with this privacy pass setup, how do I know that the server generated "auth token" is not actually linked to my account somehow?