Currently I solve this on the App level, To check permission for access token I do: 1. Check permission for the user the token belongs to 2. Check permission for the token 3. If both checks

true

token has access So I do 2 checkPermission API call, which seems incorrect.