diff --git a/raystack/frontier/v1beta1/frontier.proto b/raystack/frontier/v1beta1/frontier.proto
index 762c34ad..88aaadb2 100644
--- a/raystack/frontier/v1beta1/frontier.proto
+++ b/raystack/frontier/v1beta1/frontier.proto
@@ -2852,14 +2852,12 @@ message CreateCurrentUserPATRequest {
     (validate.rules).string.uuid = true,
     (google.api.field_behavior) = REQUIRED
   ];
-  // Role ids to scope the PAT to
-  repeated string role_ids = 3 [
+  reserved 3, 4;
+  // Role-scope assignments for the PAT
+  repeated PATScope scopes = 7 [
     (google.api.field_behavior) = REQUIRED,
-    (validate.rules).repeated = {min_items: 1},
-    (validate.rules).repeated.items.string.uuid = true
+    (validate.rules).repeated = {min_items: 1}
   ];
-  // For project-scoped roles: empty = all projects, non-empty = specific projects
-  repeated string project_ids = 4 [(validate.rules).repeated.items.string.uuid = true];
   google.protobuf.Timestamp expires_at = 5 [(google.api.field_behavior) = REQUIRED];
   google.protobuf.Struct metadata = 6;
 }
@@ -2918,14 +2916,12 @@ message UpdateCurrentUserPATRequest {
     (validate.rules).string.min_len = 1,
     (google.api.field_behavior) = REQUIRED
   ];
-  // Role ids to scope the PAT to
-  repeated string role_ids = 3 [
+  reserved 3, 4;
+  // Role-scope assignments for the PAT
+  repeated PATScope scopes = 6 [
     (google.api.field_behavior) = REQUIRED,
-    (validate.rules).repeated = {min_items: 1},
-    (validate.rules).repeated.items.string.uuid = true
+    (validate.rules).repeated = {min_items: 1}
   ];
-  // For project-scoped roles: empty = all projects, non-empty = specific projects
-  repeated string project_ids = 4 [(validate.rules).repeated.items.string.uuid = true];
   google.protobuf.Struct metadata = 5;
 }
 
diff --git a/raystack/frontier/v1beta1/models.proto b/raystack/frontier/v1beta1/models.proto
index d2954965..aa5aea04 100644
--- a/raystack/frontier/v1beta1/models.proto
+++ b/raystack/frontier/v1beta1/models.proto
@@ -270,6 +270,20 @@ message ServiceUserToken {
   google.protobuf.Timestamp created_at = 4;
 }
 
+// PATScope pairs a role with its resource type and optional resource IDs.
+message PATScope {
+  string role_id = 1 [
+    (validate.rules).string.uuid = true,
+    (google.api.field_behavior) = REQUIRED
+  ];
+  // Resource type: "app/organization" or "app/project"
+  string resource_type = 2 [
+    (google.api.field_behavior) = REQUIRED
+  ];
+  // Specific resource UUIDs within the resource type (optional)
+  repeated string resource_ids = 3 [(validate.rules).repeated.items.string.uuid = true];
+}
+
 message PAT {
   string id = 1;
   string title = 2;
@@ -280,8 +294,8 @@ message PAT {
   // this value is never persisted in the system so if lost, can't be recovered
   string token = 5 [(google.api.field_behavior) = OUTPUT_ONLY];
 
-  repeated string role_ids = 6;
-  repeated string project_ids = 7;
+  reserved 6, 7;
+  repeated PATScope scopes = 8;
 
   google.protobuf.Timestamp expires_at = 10;
   google.protobuf.Timestamp last_used_at = 11 [(google.api.field_behavior) = OUTPUT_ONLY];