would it be sufficient if the token could be limited just to specific namespaces?