Simplify JWT: remove capability claims and enforce server-side authorization

## Description

JWT tokens currently include capability claims, which increases token size.
The purpose of this request is to simplify token payloads and make authorization logic fully centralized on the server, so permission updates are applied consistently without relying on token-embedded capabilities.

## Proposed solution

- Remove capability claims (and non-essential profile metadata claims) from JWT payload generation in middleware.
- Keep only minimal authentication claims required for identity and session/2FA handling.
- Enforce permission checks server-side only (using in-memory profiles/users data and reload mechanisms already in place).

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Simplify JWT: remove capability claims and enforce server-side authorization #7901

Description

Proposed solution

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Simplify JWT: remove capability claims and enforce server-side authorization #7901

Description

Description

Proposed solution

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions