Access permissions, if you are using roles, can be inserted in the access token when u create a new session, and then read in any API after the session has been verified