I see that there’s an org_id in the access token shared, are the permissions assigned directly to the user or by way of an organization? The following post explains the difference well and why you aren’t seeing any permissions in the permissions claim: