I was afraid of that. I'm already using a proxy to generate the token, but I'm trying to avoid sending every single request through the application server. In the past, I've appended the token to every secure URL before making the request. I was hoping esri.setRequestPreCallback might get around this. Guess not. It guess it might be time to wrap my brain around the identityManager.