> are the token permissions dynamic or are they set and changed rarely?
They are fairly static, but each user may have > 1 token, and in the case they log in with a session (i.e., not a direct API call), they have no token associated with them at that point. Basically token/session are translated to (1) application ID, (2) permissions bit-set and (3) user ID at ingress