You have status codes, you should use them :)
To me the developer hasn't designed correctly the APIs, since it should have used status codes as you suggested.
Hence
- If token is valid: return status code
200(there's no need to send a JSON value saying it is valid); - If token is malformed return status code
400and optionally a JSON value{"error": "<error-message>"}; - If request for token is not authorized return
401status code.