When a user views their tokens in FlowAuth (/tokens/tokens/<server_id>), the response and UI show id, name, token, expires, server_name, username — but not the roles that were granted at mint time. The role information is only present inside the gzipped user_claims payload of the encrypted JWT, so there is no practical way for a user (or admin) to look at an existing token and see what permissions it carries.
This is a problem in day-to-day operation: when a token approaches expiry and we need to mint a replacement, we have no source of truth for which roles the original token had — we have to either remember, decode the JWT manually, or guess.
Proposed change:
- Add a
token_roles association table linking token_history ↔ role, populated at mint time in add_token (token_management.py:152).
- Include roles in the JSON response from
list_my_tokens (token_management.py:69).
- Display roles as a column in
frontend/src/TokenList.jsx.
This is purely additive — JWT format unchanged, no impact on FlowAPI. Backwards compatible: existing rows have no associated roles, so the column is simply empty until a token is reissued.
Related: #6454, #5719.
When a user views their tokens in FlowAuth (
/tokens/tokens/<server_id>), the response and UI showid, name, token, expires, server_name, username— but not the roles that were granted at mint time. The role information is only present inside the gzippeduser_claimspayload of the encrypted JWT, so there is no practical way for a user (or admin) to look at an existing token and see what permissions it carries.This is a problem in day-to-day operation: when a token approaches expiry and we need to mint a replacement, we have no source of truth for which roles the original token had — we have to either remember, decode the JWT manually, or guess.
Proposed change:
token_rolesassociation table linkingtoken_history↔role, populated at mint time inadd_token(token_management.py:152).list_my_tokens(token_management.py:69).frontend/src/TokenList.jsx.This is purely additive — JWT format unchanged, no impact on FlowAPI. Backwards compatible: existing rows have no associated roles, so the column is simply empty until a token is reissued.
Related: #6454, #5719.