Authorizing a user from Jupyter Lab to Enterprise Gateway

Hi folks, I have a particular use case for Jupyter Enterprise Gateway managing kernels that I wanted to run past some experience Jupyter community members for thoughts, feedback, etc. Essentially I want to have a platform based on Enterprise Gateway that lets an authenticated user spin up a kernel using EG from Jupyter Lab (or a local IDE in the future). I want to be able to validate that the user has access to use kernels / EG in general, as well as have some audibility to trace back resources to individuals. I have drawn up a diagram showing a potential solution and was curious if anyone has done anything similar before or has general tips. thanks in advance!

To summarize the diagram, each use would be granted a random token (think API token), each Jupyter Lab instance (hosted by me, not local to a user) has that token stored within it and when the user wants to request a kernel that request is routed through a reverse-proxy that validates the token before passing the request through to EG. EG can either be configured to accept a token (this would be different from the user token, it would be a token only the reverse-proxy knows and can add to each request) OR can be setup to only accept requests from the reverse-proxy hostname. Once the request reaches EG, EG can serve the response back to a user.