The idea is that a token is always attached to a user, the user has its own permissions it has been granted. And a key feature which haven't implemented yet, a token cannot be granted permissions which are higher than a user permissions.