Hey @yetitwo , thanks for the reply... Yeah, for 3rd party apps, there are two things that come to mind. The first is as you say to tell Okta to issue the token or not. The second way is that if the service provider looks into the token for a particular claim, SpiceDB could return to Okta the string to put into the token as a custom claim. Not sure if SpiceDB can return a string like OpenPolicyAgent can. This second behavior could also be helpful with our 1st party internal applications that typically look for Group membership in the claim. the problem is that people can have hundreds of groups, which can blow up the size of the token and force the apps to have logic to comb through those looking for the one it wants. And of course, this does not do much for fine-grained control in 1st party apps.