Some clarifying questions: Are you sending these tokens as part of the headers? Which kind of redirects are you getting that you are unable to intercept?