To speed up performance, the Airlock Gateway session can be tracked by the Oauth2 Access Token: The Gateway session can then "cache" the decision that the Access Token was valid for a certain amount of time.
If doing so, make sure, that the Airlock Gateway role (credential) issued by the one-shot endpoint of IAM has low timeout (usually only a few minutes), such that the Gateway asks IAM (one-shot) to verify the Access Token from time to time.
Remember that an Access Token does not only become invalid after its expiration time but also if the user retains the consent.