Single page applications might send several simultaneous AJAX requests against the back-end. If page tokens are not initialized yet (no token pre-create enabled/desired), all initial parallel requests would be sent with the master token. The first request would be validated using the master token, which would then create a new page token assigned to the current URI. The other requests made against the same endpoint could end up as attack attempts because of this race condition. Forcing these requests to be synchronous is not desired because they could significantly impact the performance of the application.

Proposed solution:
Introduce a parameterizable time tolerance that would define for how long a master token would be accepted for a specific resource after a page token was created for it. (e.g. default of 2 seconds)