Here is the token with MFA (signature removed):
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ik5rVXpRVE0xTnpReE16azJPRFl6UlRSRE1USTFRall6TmtKRk16TkZNMEUzUTBNM1FUUTRRUSJ9.eyJpc3MiOiJodHRwczovL2Ryb3BmaXRuZXNzLmF1dGgwLmNvbS8iLCJzdWIiOiJhdXRoMHw1ZTBlMGE0NWMzMzQzYjBmMzEzNDc4ZTgiLCJhdWQiOiJodHRwczovL2Ryb3BmaXRuZXNzLmNvbS9hcGkiLCJpYXQiOjE1Nzc5Nzg1MDAsImV4cCI6MTU4MDU3MDUwMCwiYXpwIjoiSWRtTzNjUTZFUVJadTJNNm9NcGhpMDI3VHZzc2pJVGEiLCJndHkiOiJwYXNzd29yZCJ9
This one is without MFA:
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ik5rVXpRVE0xTnpReE16azJPRFl6UlRSRE1USTFRall6TmtKRk16TkZNMEUzUTBNM1FUUTRRUSJ9.eyJpc3MiOiJodHRwczovL2Ryb3BmaXRuZXNzLmF1dGgwLmNvbS8iLCJzdWIiOiJhdXRoMHw1ZTBlMGJhNjUyZWU0ZTBmNGU0ZGI4ZTkiLCJhdWQiOiJodHRwczovL2Ryb3BmaXRuZXNzLmNvbS9hcGkiLCJpYXQiOjE1Nzc5Nzg3OTEsImV4cCI6MTU4MDU3MDc5MSwiYXpwIjoiSWRtTzNjUTZFUVJadTJNNm9NcGhpMDI3VHZzc2pJVGEiLCJndHkiOiJwYXNzd29yZCIsInBlcm1pc3Npb25zIjpbIm1hbmFnZTpzZWxmIiwicmVnaXN0ZXI6bWVtYmVyIiwic2VuZDplbWFpbCJdfQ
The last one has permissions in the payload as expected.
TIA!