diff --git a/Cargo.lock b/Cargo.lock
index bc5bae8b..7e3d1b03 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -126,12 +126,12 @@ dependencies = [
 
 [[package]]
 name = "anstyle-wincon"
-version = "3.0.7"
+version = "3.0.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ca3534e77181a9cc07539ad51f2141fe32f6c3ffd4df76db8ad92346b003ae4e"
+checksum = "6680de5231bd6ee4c6191b8a1325daa282b415391ec9d3a37bd34f2060dc73fa"
 dependencies = [
  "anstyle",
- "once_cell",
+ "once_cell_polyfill",
  "windows-sys 0.59.0",
 ]
 
@@ -404,9 +404,9 @@ dependencies = [
 
 [[package]]
 name = "bitflags"
-version = "2.9.0"
+version = "2.9.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5c8214115b7bf84099f1309324e63141d4c5d7cc26862f97a0a857dbefe165bd"
+checksum = "1b8e56985ec62d17e9c1001dc89c88ecd7dc08e47eba5ec7c29c7b5eeecde967"
 dependencies = [
  "serde",
 ]
@@ -534,9 +534,9 @@ checksum = "37b2a672a2cb129a2e41c10b1224bb368f9f37a2b16b612598138befd7b37eb5"
 
 [[package]]
 name = "cc"
-version = "1.2.22"
+version = "1.2.24"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "32db95edf998450acc7881c932f94cd9b05c87b4b2599e8bab064753da4acfd1"
+checksum = "16595d3be041c03b09d08d0858631facccee9221e579704070e6e9e4915d3bc7"
 dependencies = [
  "jobserver",
  "libc",
@@ -1179,9 +1179,9 @@ checksum = "877a4ace8713b0bcf2a4e7eec82529c029f1d0619886d18145fea96c3ffe5c0f"
 
 [[package]]
 name = "errno"
-version = "0.3.11"
+version = "0.3.12"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "976dd42dc7e85965fe702eb8164f21f450704bdde31faefd6471dba214cb594e"
+checksum = "cea14ef9355e3beab063703aa9dab15afd25f0667c341310c1e5274bb1d0da18"
 dependencies = [
  "libc",
  "windows-sys 0.59.0",
@@ -1261,6 +1261,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7ced92e76e966ca2fd84c8f7aa01a4aea65b0eb6648d72f7c8f3e2764a67fece"
 dependencies = [
  "crc32fast",
+ "libz-rs-sys",
  "miniz_oxide",
 ]
 
@@ -1634,11 +1635,10 @@ dependencies = [
 
 [[package]]
 name = "hyper-rustls"
-version = "0.27.5"
+version = "0.27.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2d191583f3da1305256f22463b9bb0471acad48a4e534a5218b9963e9c1f59b2"
+checksum = "03a01595e11bdcec50946522c32dde3fc6914743000a68b93000965f2f02406d"
 dependencies = [
- "futures-util",
  "http",
  "hyper",
  "hyper-util",
@@ -1647,14 +1647,14 @@ dependencies = [
  "tokio",
  "tokio-rustls",
  "tower-service",
- "webpki-roots 0.26.11",
+ "webpki-roots 1.0.0",
 ]
 
 [[package]]
 name = "hyper-util"
-version = "0.1.11"
+version = "0.1.12"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "497bbc33a26fdd4af9ed9c70d63f61cf56a938375fbb32df34db9b1cd6d643f2"
+checksum = "cf9f1e950e0d9d1d3c47184416723cf29c0d1f93bd8cccf37e4beb6b44f31710"
 dependencies = [
  "bytes",
  "futures-channel",
@@ -1743,9 +1743,9 @@ checksum = "00210d6893afc98edb752b664b8890f0ef174c8adbb8d0be9710fa66fbbf72d3"
 
 [[package]]
 name = "icu_properties"
-version = "2.0.0"
+version = "2.0.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2549ca8c7241c82f59c80ba2a6f415d931c5b58d24fb8412caa1a1f02c49139a"
+checksum = "016c619c1eeb94efb86809b015c58f479963de65bdb6253345c1a1276f22e32b"
 dependencies = [
  "displaydoc",
  "icu_collections",
@@ -1759,9 +1759,9 @@ dependencies = [
 
 [[package]]
 name = "icu_properties_data"
-version = "2.0.0"
+version = "2.0.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8197e866e47b68f8f7d95249e172903bec06004b18b2937f1095d40a0c57de04"
+checksum = "298459143998310acd25ffe6810ed544932242d3f07083eee1084d83a71bd632"
 
 [[package]]
 name = "icu_provider"
@@ -1955,6 +1955,15 @@ dependencies = [
  "vcpkg",
 ]
 
+[[package]]
+name = "libz-rs-sys"
+version = "0.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6489ca9bd760fe9642d7644e827b0c9add07df89857b0416ee15c1cc1a3b8c5a"
+dependencies = [
+ "zlib-rs",
+]
+
 [[package]]
 name = "linux-raw-sys"
 version = "0.9.4"
@@ -2053,13 +2062,13 @@ dependencies = [
 
 [[package]]
 name = "mio"
-version = "1.0.3"
+version = "1.0.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2886843bf800fba2e3377cff24abf6379b4c4d5c6681eaf9ea5b0d15090450bd"
+checksum = "78bed444cc8a2160f01cbcf811ef18cac863ad68ae8ca62092e8db51d51c761c"
 dependencies = [
  "libc",
  "wasi 0.11.0+wasi-snapshot-preview1",
- "windows-sys 0.52.0",
+ "windows-sys 0.59.0",
 ]
 
 [[package]]
@@ -2227,6 +2236,12 @@ version = "1.21.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "42f5e15c9953c5e4ccceeb2e7382a716482c34515315f7b03532b8b4e8393d2d"
 
+[[package]]
+name = "once_cell_polyfill"
+version = "1.70.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a4895175b425cb1f87721b59f0f286c2092bd4af812243672510e1ac53e2e0ad"
+
 [[package]]
 name = "oorandom"
 version = "11.1.5"
@@ -2406,9 +2421,9 @@ checksum = "b15813163c1d831bf4a13c3610c05c0d03b39feb07f7e09fa234dac9b15aaf39"
 
 [[package]]
 name = "owo-colors"
-version = "4.2.0"
+version = "4.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1036865bb9422d3300cf723f657c2851d0e9ab12567854b1f4eba3d77decf564"
+checksum = "26995317201fa17f3656c36716aed4a7c81743a9634ac4c99c0eeda495db0cec"
 
 [[package]]
 name = "p256"
@@ -2537,9 +2552,9 @@ dependencies = [
 
 [[package]]
 name = "pgvector"
-version = "0.4.0"
+version = "0.4.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e0e8871b6d7ca78348c6cd29b911b94851f3429f0cd403130ca17f26c1fb91a6"
+checksum = "fc58e2d255979a31caa7cabfa7aac654af0354220719ab7a68520ae7a91e8c0b"
 dependencies = [
  "serde",
 ]
@@ -3101,9 +3116,9 @@ dependencies = [
 
 [[package]]
 name = "rust-embed"
-version = "8.7.1"
+version = "8.7.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "60e425e204264b144d4c929d126d0de524b40a961686414bab5040f7465c71be"
+checksum = "025908b8682a26ba8d12f6f2d66b987584a4a87bc024abc5bbc12553a8cd178a"
 dependencies = [
  "rust-embed-impl",
  "rust-embed-utils",
@@ -3112,9 +3127,9 @@ dependencies = [
 
 [[package]]
 name = "rust-embed-impl"
-version = "8.7.0"
+version = "8.7.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6bf418c9a2e3f6663ca38b8a7134cc2c2167c9d69688860e8961e3faa731702e"
+checksum = "6065f1a4392b71819ec1ea1df1120673418bf386f50de1d6f54204d836d4349c"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -3125,9 +3140,9 @@ dependencies = [
 
 [[package]]
 name = "rust-embed-utils"
-version = "8.7.0"
+version = "8.7.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "08d55b95147fe01265d06b3955db798bdaed52e60e2211c41137701b3aba8e21"
+checksum = "f6cc0c81648b20b70c491ff8cce00c1c3b223bb8ed2b5d41f0e54c6c4c0a3594"
 dependencies = [
  "sha2",
  "walkdir",
@@ -3249,9 +3264,9 @@ dependencies = [
 
 [[package]]
 name = "rustversion"
-version = "1.0.20"
+version = "1.0.21"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "eded382c5f5f786b989652c49544c4877d9f015cc22e145a5ea8ea66c2921cd2"
+checksum = "8a0d197bd2c9dc6e53b84da9556a69ba4cdfab8619eb41a8bd1cc2027a0f6b1d"
 
 [[package]]
 name = "ryu"
@@ -3289,9 +3304,9 @@ dependencies = [
 
 [[package]]
 name = "sea-orm"
-version = "1.1.11"
+version = "1.1.12"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f7cf58b28bcf1e053539c38afbb60d963ac8e1db87f6109db7b0eff4cbeaefb3"
+checksum = "18b7272b88bd608cd846de24f41b74a0315a135fe761b0aed4ec1ce6a6327a93"
 dependencies = [
  "async-stream",
  "async-trait",
@@ -3318,9 +3333,9 @@ dependencies = [
 
 [[package]]
 name = "sea-orm-macros"
-version = "1.1.11"
+version = "1.1.12"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cac37512fde1f5b9ef71ec773cfabb90ad3b68c27e53131ff38763c247fcbb2d"
+checksum = "2c38255a6b2e6d1ae2d5df35696507a345f03c036ae32caeb0a3b922dbab610d"
 dependencies = [
  "heck 0.5.0",
  "proc-macro2",
@@ -3332,9 +3347,9 @@ dependencies = [
 
 [[package]]
 name = "sea-query"
-version = "0.32.5"
+version = "0.32.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5506de3a33d9ee4ee161c5847acb87fe4f82ced6649afc9eabeb8df6f40ba94a"
+checksum = "64c91783d1514b99754fc6a4079081dcc2c587dadbff65c48c7f62297443536a"
 dependencies = [
  "bigdecimal",
  "chrono",
@@ -3607,9 +3622,9 @@ dependencies = [
 
 [[package]]
 name = "socket2"
-version = "0.5.9"
+version = "0.5.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4f5fd57c80058a56cf5c777ab8a126398ece8e442983605d280a44ce79d0edef"
+checksum = "e22376abed350d73dd1cd119b57ffccad95b4e585a7cda43e286245ce23c0678"
 dependencies = [
  "libc",
  "windows-sys 0.52.0",
@@ -3636,9 +3651,9 @@ dependencies = [
 
 [[package]]
 name = "sqlx"
-version = "0.8.5"
+version = "0.8.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f3c3a85280daca669cfd3bcb68a337882a8bc57ec882f72c5d13a430613a738e"
+checksum = "1fefb893899429669dcdd979aff487bd78f4064e5e7907e4269081e0ef7d97dc"
 dependencies = [
  "sqlx-core",
  "sqlx-macros",
@@ -3649,9 +3664,9 @@ dependencies = [
 
 [[package]]
 name = "sqlx-core"
-version = "0.8.5"
+version = "0.8.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f743f2a3cea30a58cd479013f75550e879009e3a02f616f18ca699335aa248c3"
+checksum = "ee6798b1838b6a0f69c007c133b8df5866302197e404e8b6ee8ed3e3a5e68dc6"
 dependencies = [
  "base64 0.22.1",
  "bigdecimal",
@@ -3688,9 +3703,9 @@ dependencies = [
 
 [[package]]
 name = "sqlx-macros"
-version = "0.8.5"
+version = "0.8.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7f4200e0fde19834956d4252347c12a083bdcb237d7a1a1446bffd8768417dce"
+checksum = "a2d452988ccaacfbf5e0bdbc348fb91d7c8af5bee192173ac3636b5fb6e6715d"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -3701,9 +3716,9 @@ dependencies = [
 
 [[package]]
 name = "sqlx-macros-core"
-version = "0.8.5"
+version = "0.8.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "882ceaa29cade31beca7129b6beeb05737f44f82dbe2a9806ecea5a7093d00b7"
+checksum = "19a9c1841124ac5a61741f96e1d9e2ec77424bf323962dd894bdb93f37d5219b"
 dependencies = [
  "dotenvy",
  "either",
@@ -3720,16 +3735,15 @@ dependencies = [
  "sqlx-postgres",
  "sqlx-sqlite",
  "syn 2.0.101",
- "tempfile",
  "tokio",
  "url",
 ]
 
 [[package]]
 name = "sqlx-mysql"
-version = "0.8.5"
+version = "0.8.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0afdd3aa7a629683c2d750c2df343025545087081ab5942593a5288855b1b7a7"
+checksum = "aa003f0038df784eb8fecbbac13affe3da23b45194bd57dba231c8f48199c526"
 dependencies = [
  "atoi",
  "base64 0.22.1",
@@ -3774,9 +3788,9 @@ dependencies = [
 
 [[package]]
 name = "sqlx-postgres"
-version = "0.8.5"
+version = "0.8.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a0bedbe1bbb5e2615ef347a5e9d8cd7680fb63e77d9dafc0f29be15e53f1ebe6"
+checksum = "db58fcd5a53cf07c184b154801ff91347e4c30d17a3562a635ff028ad5deda46"
 dependencies = [
  "atoi",
  "base64 0.22.1",
@@ -3817,9 +3831,9 @@ dependencies = [
 
 [[package]]
 name = "sqlx-sqlite"
-version = "0.8.5"
+version = "0.8.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c26083e9a520e8eb87a06b12347679b142dc2ea29e6e409f805644a7a979a5bc"
+checksum = "c2d12fe70b2c1b4401038055f90f151b78208de1f9f89a7dbfd41587a10c3eea"
 dependencies = [
  "atoi",
  "chrono",
@@ -4077,9 +4091,9 @@ checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20"
 
 [[package]]
 name = "tokio"
-version = "1.45.0"
+version = "1.45.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2513ca694ef9ede0fb23fe71a4ee4107cb102b9dc1930f6d0fd77aae068ae165"
+checksum = "75ef51a33ef1da925cea3e4eb122833cb377c61439ca401b770f54902b806779"
 dependencies = [
  "backtrace",
  "bytes",
@@ -4446,9 +4460,9 @@ dependencies = [
 
 [[package]]
 name = "utoipa-swagger-ui"
-version = "9.0.1"
+version = "9.0.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d29519b3c485df6b13f4478ac909a491387e9ef70204487c3b64b53749aec0be"
+checksum = "d047458f1b5b65237c2f6dc6db136945667f40a7668627b3490b9513a3d43a55"
 dependencies = [
  "axum",
  "base64 0.22.1",
@@ -4470,12 +4484,14 @@ checksum = "e2eebbbfe4093922c2b6734d7c679ebfebd704a0d7e56dfcb0d05818ce28977d"
 
 [[package]]
 name = "uuid"
-version = "1.16.0"
+version = "1.17.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "458f7a779bf54acc9f347480ac654f68407d3aab21269a6e3c9f922acd9e2da9"
+checksum = "3cf4199d1e5d15ddd86a694e4d0dffa9c323ce759fea589f00fef9d81cc1931d"
 dependencies = [
  "getrandom 0.3.3",
+ "js-sys",
  "serde",
+ "wasm-bindgen",
 ]
 
 [[package]]
@@ -4755,15 +4771,15 @@ checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f"
 
 [[package]]
 name = "windows-core"
-version = "0.61.0"
+version = "0.61.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4763c1de310c86d75a878046489e2e5ba02c649d185f21c67d4cf8a56d098980"
+checksum = "c0fdd3ddb90610c7638aa2b3a3ab2904fb9e5cdbecc643ddb3647212781c4ae3"
 dependencies = [
  "windows-implement",
  "windows-interface",
  "windows-link",
  "windows-result",
- "windows-strings 0.4.0",
+ "windows-strings 0.4.2",
 ]
 
 [[package]]
@@ -4807,9 +4823,9 @@ dependencies = [
 
 [[package]]
 name = "windows-result"
-version = "0.3.2"
+version = "0.3.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c64fd11a4fd95df68efcfee5f44a294fe71b8bc6a91993e2791938abcc712252"
+checksum = "56f42bd332cc6c8eac5af113fc0c1fd6a8fd2aa08a0119358686e5160d0586c6"
 dependencies = [
  "windows-link",
 ]
@@ -4825,9 +4841,9 @@ dependencies = [
 
 [[package]]
 name = "windows-strings"
-version = "0.4.0"
+version = "0.4.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7a2ba9642430ee452d5a7aa78d72907ebe8cfda358e8cb7918a2050581322f97"
+checksum = "56e6c93f3a0c3b36176cb1327a4958a0353d5d166c2a35cb268ace15e91d3b57"
 dependencies = [
  "windows-link",
 ]
@@ -5096,9 +5112,9 @@ dependencies = [
 
 [[package]]
 name = "yaml-rust2"
-version = "0.10.1"
+version = "0.10.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "818913695e83ece1f8d2a1c52d54484b7b46d0f9c06beeb2649b9da50d9b512d"
+checksum = "18b783b2c2789414f8bb84ca3318fc9c2d7e7be1c22907d37839a58dedb369d3"
 dependencies = [
  "arraydeque",
  "encoding_rs",
@@ -5231,19 +5247,24 @@ dependencies = [
 
 [[package]]
 name = "zip"
-version = "2.6.1"
+version = "3.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1dcb24d0152526ae49b9b96c1dcf71850ca1e0b882e4e28ed898a93c41334744"
+checksum = "12598812502ed0105f607f941c386f43d441e00148fce9dec3ca5ffb0bde9308"
 dependencies = [
  "arbitrary",
  "crc32fast",
- "crossbeam-utils",
  "flate2",
  "indexmap 2.9.0",
  "memchr",
  "zopfli",
 ]
 
+[[package]]
+name = "zlib-rs"
+version = "0.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "868b928d7949e09af2f6086dfc1e01936064cc7a819253bce650d4e2a2d63ba8"
+
 [[package]]
 name = "zopfli"
 version = "0.8.2"
diff --git a/Cargo.toml b/Cargo.toml
index 884ad854..a85d0ece 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -48,7 +48,7 @@ url = { version = "2.5", features = ["serde"] }
 utoipa = { version = "5.3", features = ["axum_extras", "chrono"] }
 utoipa-axum = { version = "0.2" }
 utoipa-swagger-ui = { version = "9.0", features = ["axum", "vendored"], default-features = false }
-uuid = { version = "1.16", features = ["v4"] }
+uuid = { version = "1.17", features = ["v4"] }
 webauthn-rs = { version = "0.5", features = ["danger-allow-state-serialisation"] }
 
 [dev-dependencies]
diff --git a/benches/fernet_token.rs b/benches/fernet_token.rs
index d5f1649f..759df20c 100644
--- a/benches/fernet_token.rs
+++ b/benches/fernet_token.rs
@@ -21,7 +21,7 @@ fn bench_decrypt_token(c: &mut Criterion) {
 
     let mut backend = FernetTokenProvider::default();
     let mut config = Config::new(PathBuf::new()).unwrap();
-    config.fernet_tokens.key_repository = tmp_dir.into_path();
+    config.fernet_tokens.key_repository = tmp_dir.keep();
     backend.set_config(config);
     backend.load_keys().unwrap();
 
diff --git a/src/api/v3/auth/token/common.rs b/src/api/v3/auth/token/common.rs
index 033ac43d..ed19a632 100644
--- a/src/api/v3/auth/token/common.rs
+++ b/src/api/v3/auth/token/common.rs
@@ -86,6 +86,9 @@ impl Token {
             ProviderToken::ApplicationCredential(_token) => {
                 todo!();
             }
+            _ => {
+                todo!();
+            }
         }
         Ok(response.build().map_err(TokenError::from)?)
     }
@@ -168,6 +171,9 @@ impl Token {
             ProviderToken::ApplicationCredential(_token) => {
                 todo!();
             }
+            _ => {
+                todo!();
+            }
         }
         Ok(response.build().map_err(TokenError::from)?)
     }
@@ -194,7 +200,7 @@ mod tests {
         types::{Domain, Project},
     };
     use crate::token::{
-        DomainScopeToken, ProjectScopeToken, Token as ProviderToken, UnscopedToken,
+        DomainScopePayload, ProjectScopePayload, Token as ProviderToken, UnscopedPayload,
     };
 
     #[tokio::test]
@@ -238,7 +244,7 @@ mod tests {
 
         let api_token = Token::from_provider_token(
             &state,
-            &ProviderToken::Unscoped(UnscopedToken {
+            &ProviderToken::Unscoped(UnscopedPayload {
                 user_id: "bar".into(),
                 ..Default::default()
             }),
@@ -291,7 +297,7 @@ mod tests {
 
         let api_token = Token::from_provider_token(
             &state,
-            &ProviderToken::DomainScope(DomainScopeToken {
+            &ProviderToken::DomainScope(DomainScopePayload {
                 user_id: "bar".into(),
                 domain_id: "domain_id".into(),
                 ..Default::default()
@@ -372,7 +378,7 @@ mod tests {
 
         let api_token = Token::from_provider_token(
             &state,
-            &ProviderToken::ProjectScope(ProjectScopeToken {
+            &ProviderToken::ProjectScope(ProjectScopePayload {
                 user_id: "bar".into(),
                 project_id: "project_id".into(),
                 roles: vec![ProviderRole {
diff --git a/src/api/v3/auth/token/mod.rs b/src/api/v3/auth/token/mod.rs
index fed32057..fc9a088f 100644
--- a/src/api/v3/auth/token/mod.rs
+++ b/src/api/v3/auth/token/mod.rs
@@ -304,7 +304,7 @@ mod tests {
             });
         let mut token_mock = MockTokenProvider::default();
         token_mock.expect_validate_token().returning(|_, _, _| {
-            Ok(Token::Unscoped(UnscopedToken {
+            Ok(Token::Unscoped(UnscopedPayload {
                 user_id: "bar".into(),
                 ..Default::default()
             }))
@@ -398,7 +398,7 @@ mod tests {
             .expect_validate_token()
             .withf(|token: &'_ str, _, _| token == "foo")
             .returning(|_, _, _| {
-                Ok(Token::Unscoped(UnscopedToken {
+                Ok(Token::Unscoped(UnscopedPayload {
                     user_id: "bar".into(),
                     ..Default::default()
                 }))
@@ -409,7 +409,7 @@ mod tests {
                 token == "bar" && *allow_expired == Some(true)
             })
             .returning(|_, _, _| {
-                Ok(Token::Unscoped(UnscopedToken {
+                Ok(Token::Unscoped(UnscopedPayload {
                     user_id: "bar".into(),
                     ..Default::default()
                 }))
@@ -467,7 +467,7 @@ mod tests {
             .expect_validate_token()
             .withf(|token: &'_ str, _, _| token == "foo")
             .returning(|_, _, _| {
-                Ok(Token::Unscoped(UnscopedToken {
+                Ok(Token::Unscoped(UnscopedPayload {
                     user_id: "bar".into(),
                     ..Default::default()
                 }))
@@ -582,7 +582,7 @@ mod tests {
             });
         let mut token_mock = MockTokenProvider::default();
         token_mock.expect_issue_token().returning(|_, _, _, _, _| {
-            Ok(Token::ProjectScope(ProjectScopeToken {
+            Ok(Token::ProjectScope(ProjectScopePayload {
                 user_id: "bar".into(),
                 methods: Vec::from(["password".to_string()]),
                 ..Default::default()
diff --git a/src/api/v3/federation/identity_provider.rs b/src/api/v3/federation/identity_provider.rs
index 4ea24298..8547c51c 100644
--- a/src/api/v3/federation/identity_provider.rs
+++ b/src/api/v3/federation/identity_provider.rs
@@ -199,12 +199,12 @@ mod tests {
     };
     use crate::keystone::{Service, ServiceState};
     use crate::provider::Provider;
-    use crate::token::{MockTokenProvider, Token, UnscopedToken};
+    use crate::token::{MockTokenProvider, Token, UnscopedPayload};
 
     fn get_mocked_state(federation_mock: MockFederationProvider) -> ServiceState {
         let mut token_mock = MockTokenProvider::default();
         token_mock.expect_validate_token().returning(|_, _, _| {
-            Ok(Token::Unscoped(UnscopedToken {
+            Ok(Token::Unscoped(UnscopedPayload {
                 user_id: "bar".into(),
                 ..Default::default()
             }))
diff --git a/src/api/v3/federation/mapping.rs b/src/api/v3/federation/mapping.rs
index 70d6cbd8..a9b91874 100644
--- a/src/api/v3/federation/mapping.rs
+++ b/src/api/v3/federation/mapping.rs
@@ -194,12 +194,12 @@ mod tests {
     };
     use crate::keystone::{Service, ServiceState};
     use crate::provider::Provider;
-    use crate::token::{MockTokenProvider, Token, UnscopedToken};
+    use crate::token::{MockTokenProvider, Token, UnscopedPayload};
 
     fn get_mocked_state(federation_mock: MockFederationProvider) -> ServiceState {
         let mut token_mock = MockTokenProvider::default();
         token_mock.expect_validate_token().returning(|_, _, _| {
-            Ok(Token::Unscoped(UnscopedToken {
+            Ok(Token::Unscoped(UnscopedPayload {
                 user_id: "bar".into(),
                 ..Default::default()
             }))
diff --git a/src/api/v3/role/mod.rs b/src/api/v3/role/mod.rs
index 59ef7997..e43c4419 100644
--- a/src/api/v3/role/mod.rs
+++ b/src/api/v3/role/mod.rs
@@ -122,14 +122,14 @@ mod tests {
     use crate::keystone::{Service, ServiceState};
     use crate::provider::Provider;
 
-    use crate::token::{MockTokenProvider, Token, UnscopedToken};
+    use crate::token::{MockTokenProvider, Token, UnscopedPayload};
 
     use crate::tests::api::get_mocked_state_unauthed;
 
     fn get_mocked_state(assignment_mock: MockAssignmentProvider) -> ServiceState {
         let mut token_mock = MockTokenProvider::default();
         token_mock.expect_validate_token().returning(|_, _, _| {
-            Ok(Token::Unscoped(UnscopedToken {
+            Ok(Token::Unscoped(UnscopedPayload {
                 user_id: "bar".into(),
                 ..Default::default()
             }))
diff --git a/src/api/v3/role_assignment/mod.rs b/src/api/v3/role_assignment/mod.rs
index 4acdf2b6..da04c1d6 100644
--- a/src/api/v3/role_assignment/mod.rs
+++ b/src/api/v3/role_assignment/mod.rs
@@ -94,12 +94,12 @@ mod tests {
     use crate::keystone::{Service, ServiceState};
     use crate::provider::Provider;
 
-    use crate::token::{MockTokenProvider, Token, UnscopedToken};
+    use crate::token::{MockTokenProvider, Token, UnscopedPayload};
 
     fn get_mocked_state(assignment_mock: MockAssignmentProvider) -> ServiceState {
         let mut token_mock = MockTokenProvider::default();
         token_mock.expect_validate_token().returning(|_, _, _| {
-            Ok(Token::Unscoped(UnscopedToken {
+            Ok(Token::Unscoped(UnscopedPayload {
                 user_id: "bar".into(),
                 ..Default::default()
             }))
diff --git a/src/tests/api.rs b/src/tests/api.rs
index 45a1dc57..e752af06 100644
--- a/src/tests/api.rs
+++ b/src/tests/api.rs
@@ -19,7 +19,7 @@ use crate::config::Config;
 use crate::identity::MockIdentityProvider;
 use crate::keystone::{Service, ServiceState};
 use crate::provider::Provider;
-use crate::token::{MockTokenProvider, Token, TokenProviderError, UnscopedToken};
+use crate::token::{MockTokenProvider, Token, TokenProviderError, UnscopedPayload};
 
 pub(crate) fn get_mocked_state_unauthed() -> ServiceState {
     let mut token_mock = MockTokenProvider::default();
@@ -45,7 +45,7 @@ pub(crate) fn get_mocked_state_unauthed() -> ServiceState {
 pub(crate) fn get_mocked_state(identity_mock: MockIdentityProvider) -> ServiceState {
     let mut token_mock = MockTokenProvider::default();
     token_mock.expect_validate_token().returning(|_, _, _| {
-        Ok(Token::Unscoped(UnscopedToken {
+        Ok(Token::Unscoped(UnscopedPayload {
             user_id: "bar".into(),
             ..Default::default()
         }))
diff --git a/src/tests/token.rs b/src/tests/token.rs
index 72be6ded..e8ca1e67 100644
--- a/src/tests/token.rs
+++ b/src/tests/token.rs
@@ -26,7 +26,7 @@ pub fn setup_config() -> Config {
     let mut tmp_file = File::create(file_path).unwrap();
     write!(tmp_file, "BFTs1CIVIBLTP4GOrQ26VETrJ7Zwz1O4wbEcCQ966eM=").unwrap();
     let mut config = Config::new(PathBuf::new()).unwrap();
-    config.fernet_tokens.key_repository = keys_dir.into_path();
+    config.fernet_tokens.key_repository = keys_dir.keep();
     config.auth.methods = vec![
         "password".into(),
         "token".into(),
diff --git a/src/token/application_credential.rs b/src/token/application_credential.rs
index cef2417d..ad1280c5 100644
--- a/src/token/application_credential.rs
+++ b/src/token/application_credential.rs
@@ -28,7 +28,7 @@ use crate::token::{
 };
 
 #[derive(Builder, Clone, Debug, Default, PartialEq)]
-pub struct ApplicationCredentialToken {
+pub struct ApplicationCredentialPayload {
     pub user_id: String,
     #[builder(default, setter(name = _methods))]
     pub methods: Vec<String>,
@@ -44,7 +44,7 @@ pub struct ApplicationCredentialToken {
     pub project: Option<Project>,
 }
 
-impl ApplicationCredentialTokenBuilder {
+impl ApplicationCredentialPayloadBuilder {
     pub fn methods<I, V>(&mut self, iter: I) -> &mut Self
     where
         I: Iterator<Item = V>,
@@ -68,14 +68,14 @@ impl ApplicationCredentialTokenBuilder {
     }
 }
 
-impl From<ApplicationCredentialToken> for Token {
-    fn from(value: ApplicationCredentialToken) -> Self {
+impl From<ApplicationCredentialPayload> for Token {
+    fn from(value: ApplicationCredentialPayload) -> Self {
         Token::ApplicationCredential(value)
     }
 }
 
-impl MsgPackToken for ApplicationCredentialToken {
-    type Token = ApplicationCredentialToken;
+impl MsgPackToken for ApplicationCredentialPayload {
+    type Token = ApplicationCredentialPayload;
 
     fn assemble<W: Write>(
         &self,
@@ -131,7 +131,7 @@ mod tests {
 
     #[test]
     fn test_roundtrip() {
-        let token = ApplicationCredentialToken {
+        let token = ApplicationCredentialPayload {
             user_id: Uuid::new_v4().simple().to_string(),
             methods: vec!["password".into()],
             project_id: Uuid::new_v4().simple().to_string(),
@@ -145,7 +145,7 @@ mod tests {
         token.assemble(&mut buf, &auth_map).unwrap();
         let encoded_buf = buf.clone();
         let decoded =
-            ApplicationCredentialToken::disassemble(&mut encoded_buf.as_slice(), &auth_map)
+            ApplicationCredentialPayload::disassemble(&mut encoded_buf.as_slice(), &auth_map)
                 .unwrap();
         assert_eq!(token, decoded);
     }
diff --git a/src/token/domain_scoped.rs b/src/token/domain_scoped.rs
index 3d1284c9..eb6e3436 100644
--- a/src/token/domain_scoped.rs
+++ b/src/token/domain_scoped.rs
@@ -29,7 +29,7 @@ use crate::token::{
 
 #[derive(Builder, Clone, Debug, Default, PartialEq)]
 #[builder(setter(strip_option, into))]
-pub struct DomainScopeToken {
+pub struct DomainScopePayload {
     pub user_id: String,
     #[builder(default, setter(name = _methods))]
     pub methods: Vec<String>,
@@ -44,7 +44,7 @@ pub struct DomainScopeToken {
     pub domain: Option<Domain>,
 }
 
-impl DomainScopeTokenBuilder {
+impl DomainScopePayloadBuilder {
     pub fn methods<I, V>(&mut self, iter: I) -> &mut Self
     where
         I: Iterator<Item = V>,
@@ -68,14 +68,14 @@ impl DomainScopeTokenBuilder {
     }
 }
 
-impl From<DomainScopeToken> for Token {
-    fn from(value: DomainScopeToken) -> Self {
+impl From<DomainScopePayload> for Token {
+    fn from(value: DomainScopePayload) -> Self {
         Token::DomainScope(value)
     }
 }
 
-impl MsgPackToken for DomainScopeToken {
-    type Token = DomainScopeToken;
+impl MsgPackToken for DomainScopePayload {
+    type Token = DomainScopePayload;
 
     fn assemble<W: Write>(
         &self,
@@ -127,7 +127,7 @@ mod tests {
 
     #[test]
     fn test_roundtrip() {
-        let token = DomainScopeToken {
+        let token = DomainScopePayload {
             user_id: Uuid::new_v4().simple().to_string(),
             methods: vec!["password".into()],
             domain_id: Uuid::new_v4().simple().to_string(),
@@ -140,7 +140,7 @@ mod tests {
         token.assemble(&mut buf, &auth_map).unwrap();
         let encoded_buf = buf.clone();
         let decoded =
-            DomainScopeToken::disassemble(&mut encoded_buf.as_slice(), &auth_map).unwrap();
+            DomainScopePayload::disassemble(&mut encoded_buf.as_slice(), &auth_map).unwrap();
         assert_eq!(token, decoded);
     }
 }
diff --git a/src/token/error.rs b/src/token/error.rs
index 6a3238db..1652955a 100644
--- a/src/token/error.rs
+++ b/src/token/error.rs
@@ -99,21 +99,21 @@ pub enum TokenProviderError {
     UnscopedBuilder {
         /// The source of the error.
         #[from]
-        source: crate::token::unscoped::UnscopedTokenBuilderError,
+        source: crate::token::unscoped::UnscopedPayloadBuilderError,
     },
 
     #[error(transparent)]
     ProjectScopeBuilder {
         /// The source of the error.
         #[from]
-        source: crate::token::project_scoped::ProjectScopeTokenBuilderError,
+        source: crate::token::project_scoped::ProjectScopePayloadBuilderError,
     },
 
     #[error(transparent)]
     DomainScopeBuilder {
         /// The source of the error.
         #[from]
-        source: crate::token::domain_scoped::DomainScopeTokenBuilderError,
+        source: crate::token::domain_scoped::DomainScopePayloadBuilderError,
     },
 
     #[error(transparent)]
diff --git a/src/token/federation_domain_scoped.rs b/src/token/federation_domain_scoped.rs
new file mode 100644
index 00000000..d01fbf19
--- /dev/null
+++ b/src/token/federation_domain_scoped.rs
@@ -0,0 +1,155 @@
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// SPDX-License-Identifier: Apache-2.0
+
+use chrono::{DateTime, Utc};
+use derive_builder::Builder;
+use rmp::{decode::read_pfix, encode::write_pfix};
+use std::collections::BTreeMap;
+use std::io::Write;
+
+use crate::token::{
+    error::TokenProviderError,
+    fernet::{self, MsgPackToken},
+    fernet_utils,
+    types::Token,
+};
+
+/// Federated domain scope token payload
+#[derive(Builder, Clone, Debug, Default, PartialEq)]
+#[builder(setter(strip_option, into))]
+pub struct FederationDomainScopePayload {
+    pub user_id: String,
+    #[builder(default, setter(name = _methods))]
+    pub methods: Vec<String>,
+    #[builder(default, setter(name = _audit_ids))]
+    pub audit_ids: Vec<String>,
+    pub expires_at: DateTime<Utc>,
+    pub domain_id: String,
+    pub idp_id: String,
+    pub protocol_id: String,
+    pub group_ids: Vec<String>,
+}
+
+impl FederationDomainScopePayloadBuilder {
+    pub fn methods<I, V>(&mut self, iter: I) -> &mut Self
+    where
+        I: Iterator<Item = V>,
+        V: Into<String>,
+    {
+        self.methods
+            .get_or_insert_with(Vec::new)
+            .extend(iter.map(Into::into));
+        self
+    }
+
+    pub fn audit_ids<I, V>(&mut self, iter: I) -> &mut Self
+    where
+        I: Iterator<Item = V>,
+        V: Into<String>,
+    {
+        self.audit_ids
+            .get_or_insert_with(Vec::new)
+            .extend(iter.map(Into::into));
+        self
+    }
+}
+
+impl From<FederationDomainScopePayload> for Token {
+    fn from(value: FederationDomainScopePayload) -> Self {
+        Token::FederationDomainScope(value)
+    }
+}
+
+impl MsgPackToken for FederationDomainScopePayload {
+    type Token = FederationDomainScopePayload;
+
+    fn assemble<W: Write>(
+        &self,
+        wd: &mut W,
+        auth_map: &BTreeMap<usize, String>,
+    ) -> Result<(), TokenProviderError> {
+        fernet_utils::write_uuid(wd, &self.user_id)?;
+        write_pfix(
+            wd,
+            fernet::encode_auth_methods(self.methods.clone(), auth_map)? as u8,
+        )
+        .map_err(|x| TokenProviderError::RmpEncode(x.to_string()))?;
+        fernet_utils::write_uuid(wd, &self.domain_id)?;
+        fernet_utils::write_list_of_uuids(wd, self.group_ids.iter())?;
+        fernet_utils::write_uuid(wd, &self.idp_id)?;
+        fernet_utils::write_uuid(wd, &self.protocol_id)?;
+        fernet_utils::write_time(wd, self.expires_at)?;
+        fernet_utils::write_audit_ids(wd, self.audit_ids.clone())?;
+
+        Ok(())
+    }
+
+    fn disassemble(
+        rd: &mut &[u8],
+        auth_map: &BTreeMap<usize, String>,
+    ) -> Result<Self::Token, TokenProviderError> {
+        // Order of reading is important
+        let user_id = fernet_utils::read_uuid(rd)?;
+        println!("u: {:?}", user_id);
+        let methods: Vec<String> = fernet::decode_auth_methods(read_pfix(rd)?.into(), auth_map)?
+            .into_iter()
+            .collect();
+        let domain_id = fernet_utils::read_uuid(rd)?;
+        let group_ids = fernet_utils::read_list_of_uuids(rd)?;
+        let idp_id = fernet_utils::read_uuid(rd)?;
+        let protocol_id = fernet_utils::read_uuid(rd)?;
+        let expires_at = fernet_utils::read_time(rd)?;
+        let audit_ids: Vec<String> = fernet_utils::read_audit_ids(rd)?.into_iter().collect();
+        Ok(Self {
+            user_id,
+            methods,
+            expires_at,
+            audit_ids,
+            domain_id,
+            group_ids: group_ids.into_iter().collect(),
+            idp_id,
+            protocol_id,
+        })
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use chrono::{Local, SubsecRound};
+    use uuid::Uuid;
+
+    use super::*;
+
+    #[test]
+    fn test_roundtrip() {
+        let token = FederationDomainScopePayload {
+            user_id: Uuid::new_v4().simple().to_string(),
+            methods: vec!["oidc".into()],
+            audit_ids: vec!["Zm9vCg".into()],
+            expires_at: Local::now().trunc_subsecs(0).into(),
+            domain_id: "pid".into(),
+            group_ids: vec!["g1".into()],
+            idp_id: "idp_id".into(),
+            protocol_id: "proto".into(),
+        };
+        let auth_map = BTreeMap::from([(1, "oidc".into())]);
+        let mut buf = vec![];
+        token.assemble(&mut buf, &auth_map).unwrap();
+        let encoded_buf = buf.clone();
+        let decoded =
+            FederationDomainScopePayload::disassemble(&mut encoded_buf.as_slice(), &auth_map)
+                .unwrap();
+        assert_eq!(token, decoded);
+    }
+}
diff --git a/src/token/federation_project_scoped.rs b/src/token/federation_project_scoped.rs
new file mode 100644
index 00000000..760ef7ff
--- /dev/null
+++ b/src/token/federation_project_scoped.rs
@@ -0,0 +1,155 @@
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// SPDX-License-Identifier: Apache-2.0
+
+use chrono::{DateTime, Utc};
+use derive_builder::Builder;
+use rmp::{decode::read_pfix, encode::write_pfix};
+use std::collections::BTreeMap;
+use std::io::Write;
+
+use crate::token::{
+    error::TokenProviderError,
+    fernet::{self, MsgPackToken},
+    fernet_utils,
+    types::Token,
+};
+
+/// Federated project scope token payload
+#[derive(Builder, Clone, Debug, Default, PartialEq)]
+#[builder(setter(strip_option, into))]
+pub struct FederationProjectScopePayload {
+    pub user_id: String,
+    #[builder(default, setter(name = _methods))]
+    pub methods: Vec<String>,
+    #[builder(default, setter(name = _audit_ids))]
+    pub audit_ids: Vec<String>,
+    pub expires_at: DateTime<Utc>,
+    pub project_id: String,
+    pub idp_id: String,
+    pub protocol_id: String,
+    pub group_ids: Vec<String>,
+}
+
+impl FederationProjectScopePayloadBuilder {
+    pub fn methods<I, V>(&mut self, iter: I) -> &mut Self
+    where
+        I: Iterator<Item = V>,
+        V: Into<String>,
+    {
+        self.methods
+            .get_or_insert_with(Vec::new)
+            .extend(iter.map(Into::into));
+        self
+    }
+
+    pub fn audit_ids<I, V>(&mut self, iter: I) -> &mut Self
+    where
+        I: Iterator<Item = V>,
+        V: Into<String>,
+    {
+        self.audit_ids
+            .get_or_insert_with(Vec::new)
+            .extend(iter.map(Into::into));
+        self
+    }
+}
+
+impl From<FederationProjectScopePayload> for Token {
+    fn from(value: FederationProjectScopePayload) -> Self {
+        Token::FederationProjectScope(value)
+    }
+}
+
+impl MsgPackToken for FederationProjectScopePayload {
+    type Token = FederationProjectScopePayload;
+
+    fn assemble<W: Write>(
+        &self,
+        wd: &mut W,
+        auth_map: &BTreeMap<usize, String>,
+    ) -> Result<(), TokenProviderError> {
+        fernet_utils::write_uuid(wd, &self.user_id)?;
+        write_pfix(
+            wd,
+            fernet::encode_auth_methods(self.methods.clone(), auth_map)? as u8,
+        )
+        .map_err(|x| TokenProviderError::RmpEncode(x.to_string()))?;
+        fernet_utils::write_uuid(wd, &self.project_id)?;
+        fernet_utils::write_list_of_uuids(wd, self.group_ids.iter())?;
+        fernet_utils::write_uuid(wd, &self.idp_id)?;
+        fernet_utils::write_uuid(wd, &self.protocol_id)?;
+        fernet_utils::write_time(wd, self.expires_at)?;
+        fernet_utils::write_audit_ids(wd, self.audit_ids.clone())?;
+
+        Ok(())
+    }
+
+    fn disassemble(
+        rd: &mut &[u8],
+        auth_map: &BTreeMap<usize, String>,
+    ) -> Result<Self::Token, TokenProviderError> {
+        // Order of reading is important
+        let user_id = fernet_utils::read_uuid(rd)?;
+        println!("u: {:?}", user_id);
+        let methods: Vec<String> = fernet::decode_auth_methods(read_pfix(rd)?.into(), auth_map)?
+            .into_iter()
+            .collect();
+        let project_id = fernet_utils::read_uuid(rd)?;
+        let group_ids = fernet_utils::read_list_of_uuids(rd)?;
+        let idp_id = fernet_utils::read_uuid(rd)?;
+        let protocol_id = fernet_utils::read_uuid(rd)?;
+        let expires_at = fernet_utils::read_time(rd)?;
+        let audit_ids: Vec<String> = fernet_utils::read_audit_ids(rd)?.into_iter().collect();
+        Ok(Self {
+            user_id,
+            methods,
+            expires_at,
+            audit_ids,
+            project_id,
+            group_ids: group_ids.into_iter().collect(),
+            idp_id,
+            protocol_id,
+        })
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use chrono::{Local, SubsecRound};
+    use uuid::Uuid;
+
+    use super::*;
+
+    #[test]
+    fn test_roundtrip() {
+        let token = FederationProjectScopePayload {
+            user_id: Uuid::new_v4().simple().to_string(),
+            methods: vec!["oidc".into()],
+            audit_ids: vec!["Zm9vCg".into()],
+            expires_at: Local::now().trunc_subsecs(0).into(),
+            project_id: "pid".into(),
+            group_ids: vec!["g1".into()],
+            idp_id: "idp_id".into(),
+            protocol_id: "proto".into(),
+        };
+        let auth_map = BTreeMap::from([(1, "oidc".into())]);
+        let mut buf = vec![];
+        token.assemble(&mut buf, &auth_map).unwrap();
+        let encoded_buf = buf.clone();
+        let decoded =
+            FederationProjectScopePayload::disassemble(&mut encoded_buf.as_slice(), &auth_map)
+                .unwrap();
+        assert_eq!(token, decoded);
+    }
+}
diff --git a/src/token/federation_unscoped.rs b/src/token/federation_unscoped.rs
new file mode 100644
index 00000000..518c1794
--- /dev/null
+++ b/src/token/federation_unscoped.rs
@@ -0,0 +1,149 @@
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// SPDX-License-Identifier: Apache-2.0
+
+use chrono::{DateTime, Utc};
+use derive_builder::Builder;
+use rmp::{decode::read_pfix, encode::write_pfix};
+use std::collections::BTreeMap;
+use std::io::Write;
+
+use crate::token::{
+    error::TokenProviderError,
+    fernet::{self, MsgPackToken},
+    fernet_utils,
+    types::Token,
+};
+
+/// Federated unscoped token payload
+#[derive(Builder, Clone, Debug, Default, PartialEq)]
+#[builder(setter(strip_option, into))]
+pub struct FederationUnscopedPayload {
+    pub user_id: String,
+    #[builder(default, setter(name = _methods))]
+    pub methods: Vec<String>,
+    #[builder(default, setter(name = _audit_ids))]
+    pub audit_ids: Vec<String>,
+    pub expires_at: DateTime<Utc>,
+    pub idp_id: String,
+    pub protocol_id: String,
+    pub group_ids: Vec<String>,
+}
+
+impl FederationUnscopedPayloadBuilder {
+    pub fn methods<I, V>(&mut self, iter: I) -> &mut Self
+    where
+        I: Iterator<Item = V>,
+        V: Into<String>,
+    {
+        self.methods
+            .get_or_insert_with(Vec::new)
+            .extend(iter.map(Into::into));
+        self
+    }
+
+    pub fn audit_ids<I, V>(&mut self, iter: I) -> &mut Self
+    where
+        I: Iterator<Item = V>,
+        V: Into<String>,
+    {
+        self.audit_ids
+            .get_or_insert_with(Vec::new)
+            .extend(iter.map(Into::into));
+        self
+    }
+}
+
+impl From<FederationUnscopedPayload> for Token {
+    fn from(value: FederationUnscopedPayload) -> Self {
+        Token::FederationUnscoped(value)
+    }
+}
+
+impl MsgPackToken for FederationUnscopedPayload {
+    type Token = FederationUnscopedPayload;
+
+    fn assemble<W: Write>(
+        &self,
+        wd: &mut W,
+        auth_map: &BTreeMap<usize, String>,
+    ) -> Result<(), TokenProviderError> {
+        fernet_utils::write_uuid(wd, &self.user_id)?;
+        write_pfix(
+            wd,
+            fernet::encode_auth_methods(self.methods.clone(), auth_map)? as u8,
+        )
+        .map_err(|x| TokenProviderError::RmpEncode(x.to_string()))?;
+        fernet_utils::write_list_of_uuids(wd, self.group_ids.iter())?;
+        fernet_utils::write_uuid(wd, &self.idp_id)?;
+        fernet_utils::write_uuid(wd, &self.protocol_id)?;
+        fernet_utils::write_time(wd, self.expires_at)?;
+        fernet_utils::write_audit_ids(wd, self.audit_ids.clone())?;
+
+        Ok(())
+    }
+
+    fn disassemble(
+        rd: &mut &[u8],
+        auth_map: &BTreeMap<usize, String>,
+    ) -> Result<Self::Token, TokenProviderError> {
+        // Order of reading is important
+        let user_id = fernet_utils::read_uuid(rd)?;
+        println!("u: {:?}", user_id);
+        let methods: Vec<String> = fernet::decode_auth_methods(read_pfix(rd)?.into(), auth_map)?
+            .into_iter()
+            .collect();
+        let group_ids = fernet_utils::read_list_of_uuids(rd)?;
+        let idp_id = fernet_utils::read_uuid(rd)?;
+        let protocol_id = fernet_utils::read_uuid(rd)?;
+        let expires_at = fernet_utils::read_time(rd)?;
+        let audit_ids: Vec<String> = fernet_utils::read_audit_ids(rd)?.into_iter().collect();
+        Ok(Self {
+            user_id,
+            methods,
+            expires_at,
+            audit_ids,
+            group_ids: group_ids.into_iter().collect(),
+            idp_id,
+            protocol_id,
+        })
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use chrono::{Local, SubsecRound};
+    use uuid::Uuid;
+
+    use super::*;
+
+    #[test]
+    fn test_roundtrip() {
+        let token = FederationUnscopedPayload {
+            user_id: Uuid::new_v4().simple().to_string(),
+            methods: vec!["oidc".into()],
+            audit_ids: vec!["Zm9vCg".into()],
+            expires_at: Local::now().trunc_subsecs(0).into(),
+            group_ids: vec!["g1".into()],
+            idp_id: "idp_id".into(),
+            protocol_id: "proto".into(),
+        };
+        let auth_map = BTreeMap::from([(1, "oidc".into())]);
+        let mut buf = vec![];
+        token.assemble(&mut buf, &auth_map).unwrap();
+        let encoded_buf = buf.clone();
+        let decoded =
+            FederationUnscopedPayload::disassemble(&mut encoded_buf.as_slice(), &auth_map).unwrap();
+        assert_eq!(token, decoded);
+    }
+}
diff --git a/src/token/fernet.rs b/src/token/fernet.rs
index 58604bad..31d42cc9 100644
--- a/src/token/fernet.rs
+++ b/src/token/fernet.rs
@@ -26,9 +26,11 @@ use std::io::Write;
 
 use crate::config::Config;
 use crate::token::{
-    TokenProviderError, application_credential::ApplicationCredentialToken,
-    domain_scoped::DomainScopeToken, fernet_utils::FernetUtils, project_scoped::ProjectScopeToken,
-    types::*, unscoped::UnscopedToken,
+    TokenProviderError, application_credential::ApplicationCredentialPayload,
+    domain_scoped::DomainScopePayload, federation_domain_scoped::FederationDomainScopePayload,
+    federation_project_scoped::FederationProjectScopePayload,
+    federation_unscoped::FederationUnscopedPayload, fernet_utils::FernetUtils,
+    project_scoped::ProjectScopePayload, types::*, unscoped::UnscopedPayload,
 };
 
 #[derive(Default, Clone)]
@@ -116,10 +118,13 @@ impl FernetTokenProvider {
     fn decode(&self, rd: &mut &[u8]) -> Result<Token, TokenProviderError> {
         if let Marker::FixArray(_) = read_marker(rd).map_err(ValueReadError::from)? {
             match read_payload_token_type(rd)? {
-                0 => Ok(UnscopedToken::disassemble(rd, &self.auth_map)?.into()),
-                1 => Ok(DomainScopeToken::disassemble(rd, &self.auth_map)?.into()),
-                2 => Ok(ProjectScopeToken::disassemble(rd, &self.auth_map)?.into()),
-                9 => Ok(ApplicationCredentialToken::disassemble(rd, &self.auth_map)?.into()),
+                0 => Ok(UnscopedPayload::disassemble(rd, &self.auth_map)?.into()),
+                1 => Ok(DomainScopePayload::disassemble(rd, &self.auth_map)?.into()),
+                2 => Ok(ProjectScopePayload::disassemble(rd, &self.auth_map)?.into()),
+                4 => Ok(FederationUnscopedPayload::disassemble(rd, &self.auth_map)?.into()),
+                5 => Ok(FederationProjectScopePayload::disassemble(rd, &self.auth_map)?.into()),
+                6 => Ok(FederationDomainScopePayload::disassemble(rd, &self.auth_map)?.into()),
+                9 => Ok(ApplicationCredentialPayload::disassemble(rd, &self.auth_map)?.into()),
                 other => Err(TokenProviderError::InvalidTokenType(other)),
             }
         } else {
@@ -152,6 +157,27 @@ impl FernetTokenProvider {
                     .map_err(|x| TokenProviderError::RmpEncode(x.to_string()))?;
                 data.assemble(&mut buf, &self.auth_map)?;
             }
+            Token::FederationUnscoped(data) => {
+                write_array_len(&mut buf, 7)
+                    .map_err(|x| TokenProviderError::RmpEncode(x.to_string()))?;
+                write_pfix(&mut buf, 4)
+                    .map_err(|x| TokenProviderError::RmpEncode(x.to_string()))?;
+                data.assemble(&mut buf, &self.auth_map)?;
+            }
+            Token::FederationProjectScope(data) => {
+                write_array_len(&mut buf, 8)
+                    .map_err(|x| TokenProviderError::RmpEncode(x.to_string()))?;
+                write_pfix(&mut buf, 5)
+                    .map_err(|x| TokenProviderError::RmpEncode(x.to_string()))?;
+                data.assemble(&mut buf, &self.auth_map)?;
+            }
+            Token::FederationDomainScope(data) => {
+                write_array_len(&mut buf, 8)
+                    .map_err(|x| TokenProviderError::RmpEncode(x.to_string()))?;
+                write_pfix(&mut buf, 6)
+                    .map_err(|x| TokenProviderError::RmpEncode(x.to_string()))?;
+                data.assemble(&mut buf, &self.auth_map)?;
+            }
             Token::ApplicationCredential(data) => {
                 write_array_len(&mut buf, 7)
                     .map_err(|x| TokenProviderError::RmpEncode(x.to_string()))?;
@@ -251,7 +277,7 @@ pub(super) mod tests {
         let mut tmp_file = File::create(file_path).unwrap();
         write!(tmp_file, "BFTs1CIVIBLTP4GOrQ26VETrJ7Zwz1O4wbEcCQ966eM=").unwrap();
         let mut config = Config::new(PathBuf::new()).unwrap();
-        config.fernet_tokens.key_repository = keys_dir.into_path();
+        config.fernet_tokens.key_repository = keys_dir.keep();
         config.auth.methods = vec![
             "password".into(),
             "token".into(),
@@ -288,7 +314,7 @@ pub(super) mod tests {
 
     #[tokio::test]
     async fn test_unscoped_roundtrip() {
-        let token = Token::Unscoped(UnscopedToken {
+        let token = Token::Unscoped(UnscopedPayload {
             user_id: Uuid::new_v4().simple().to_string(),
             methods: vec!["password".into()],
             audit_ids: vec!["Zm9vCg".into()],
@@ -330,7 +356,7 @@ pub(super) mod tests {
 
     #[tokio::test]
     async fn test_domain_roundtrip() {
-        let token = Token::DomainScope(DomainScopeToken {
+        let token = Token::DomainScope(DomainScopePayload {
             user_id: Uuid::new_v4().simple().to_string(),
             methods: vec!["password".into()],
             domain_id: Uuid::new_v4().simple().to_string(),
@@ -374,7 +400,7 @@ pub(super) mod tests {
 
     #[tokio::test]
     async fn test_project_roundtrip() {
-        let token = Token::ProjectScope(ProjectScopeToken {
+        let token = Token::ProjectScope(ProjectScopePayload {
             user_id: Uuid::new_v4().simple().to_string(),
             methods: vec!["password".into()],
             project_id: Uuid::new_v4().simple().to_string(),
@@ -393,6 +419,161 @@ pub(super) mod tests {
         assert_eq!(token, dec_token);
     }
 
+    #[tokio::test]
+    async fn test_decrypt_federation_unscoped() {
+        let token = "gAAAAABoMdfwBgwjAfYCp3RisL_XKSdGKmBqg7ia8jkfsKIXnap_bQ5gUTZGwgEERlpFKzbwpkV-cpiFDuhe9RAnCtbQxEhP7Rg1vt1VLm8afGTulDaLclqot2NC-BONFO2k3V3KyIa-Xrq0mCEGOk-BhNZy2C6iwrWanPCjCuZrWCq4FBirtMs2vrnZPWG5FTGqqkvdQvGj";
+
+        let mut backend = FernetTokenProvider::default();
+        let config = setup_config();
+        backend.set_config(config);
+        backend.load_keys().unwrap();
+
+        if let Token::FederationUnscoped(decrypted) = backend.decrypt(token).unwrap() {
+            assert_eq!(decrypted.user_id, "8980e124df5245509131bdc5c66c54cc");
+            assert_eq!(decrypted.methods, vec!["openid"]);
+            assert_eq!(
+                decrypted.expires_at.to_rfc3339(),
+                "2025-05-24T16:30:03+00:00"
+            );
+            assert_eq!(
+                decrypted.audit_ids,
+                vec!["3622030ded92477095dadcde340770e5"]
+            );
+            assert_eq!(decrypted.idp_id, "idp_id");
+            assert_eq!(decrypted.protocol_id, "oidc");
+            assert_eq!(decrypted.group_ids, vec!["g1", "g2"]);
+        } else {
+            panic!()
+        }
+    }
+
+    #[tokio::test]
+    async fn test_federation_unscoped_roundtrip() {
+        let token = Token::FederationUnscoped(FederationUnscopedPayload {
+            user_id: Uuid::new_v4().simple().to_string(),
+            methods: vec!["password".into()],
+            group_ids: vec!["g1".into()],
+            idp_id: "idp_id".into(),
+            protocol_id: "proto".into(),
+
+            audit_ids: vec!["Zm9vCg".into()],
+            expires_at: Local::now().trunc_subsecs(0).into(),
+        });
+
+        let mut backend = FernetTokenProvider::default();
+        let config = crate::tests::token::setup_config();
+        backend.set_config(config);
+        backend.load_keys().unwrap();
+
+        let encrypted = backend.encrypt(&token).unwrap();
+        let dec_token = backend.decrypt(&encrypted).unwrap();
+        assert_eq!(token, dec_token);
+    }
+
+    #[tokio::test]
+    async fn test_decrypt_federation_project_scope() {
+        let token = "gAAAAABoNdYE5zCP0qQtHqhdbZHQ7YdLvfDlUTpLou8FJFoMKsd4I9jyVyaWrluYXKXofnwzemA-wybhtbNruwqDYH-wmHdMlgYuZyy21o8ylphU5yd2b-5KvGpXo61fTVTzhdHFTzJKVit_7Lcwq0S45xQ9x14sVRd870NEwfmOvUVR5BGzmnpFLvWtkaPSpbxMAzfn_NSC";
+
+        let mut backend = FernetTokenProvider::default();
+        let config = setup_config();
+        backend.set_config(config);
+        backend.load_keys().unwrap();
+
+        if let Token::FederationProjectScope(decrypted) = backend.decrypt(token).unwrap() {
+            assert_eq!(decrypted.user_id, "8980e124df5245509131bdc5c66c54cc");
+            assert_eq!(decrypted.methods, vec!["openid"]);
+            assert_eq!(
+                decrypted.expires_at.to_rfc3339(),
+                "2025-05-27T17:11:00+00:00",
+            );
+            assert_eq!(
+                decrypted.audit_ids,
+                vec!["dcbf4d403b7a45dca32d029d54c953d9"]
+            );
+            assert_eq!(decrypted.project_id, "pid");
+            assert_eq!(decrypted.idp_id, "idp_id");
+            assert_eq!(decrypted.protocol_id, "oidc");
+            assert_eq!(decrypted.group_ids, vec!["g1", "g2"]);
+        } else {
+            panic!()
+        }
+    }
+
+    #[tokio::test]
+    async fn test_federation_project_scope_roundtrip() {
+        let token = Token::FederationProjectScope(FederationProjectScopePayload {
+            user_id: Uuid::new_v4().simple().to_string(),
+            methods: vec!["password".into()],
+            project_id: "pid".into(),
+            group_ids: vec!["g1".into()],
+            idp_id: "idp_id".into(),
+            protocol_id: "proto".into(),
+            audit_ids: vec!["Zm9vCg".into()],
+            expires_at: Local::now().trunc_subsecs(0).into(),
+        });
+
+        let mut backend = FernetTokenProvider::default();
+        let config = crate::tests::token::setup_config();
+        backend.set_config(config);
+        backend.load_keys().unwrap();
+
+        let encrypted = backend.encrypt(&token).unwrap();
+        let dec_token = backend.decrypt(&encrypted).unwrap();
+        assert_eq!(token, dec_token);
+    }
+
+    #[tokio::test]
+    async fn test_decrypt_federation_domain_scope() {
+        let token = "gAAAAABoNddwFaB2Oq26-4f8nRK3Bph7-QsIh30Rbefbb78owJXaQcjNQm5Qq1gHouS6JSqgfpdna3ML1vdTVnVnFScX-T-CZ-CqtBPUuEBHFEzdNBDKQHloYajZ2sknwbe_uIs1SDS9tBFLvkVth1eVjDhdEawINHjUCFhNPObZKas5V0j7bsvChNeZBKsznruJwCtcrWr5";
+
+        let mut backend = FernetTokenProvider::default();
+        let config = setup_config();
+        backend.set_config(config);
+        backend.load_keys().unwrap();
+
+        if let Token::FederationDomainScope(decrypted) = backend.decrypt(token).unwrap() {
+            assert_eq!(decrypted.user_id, "8980e124df5245509131bdc5c66c54cc");
+            assert_eq!(decrypted.methods, vec!["openid"]);
+            assert_eq!(
+                decrypted.expires_at.to_rfc3339(),
+                "2025-05-27T17:17:04+00:00",
+            );
+            assert_eq!(
+                decrypted.audit_ids,
+                vec!["ab892135f51240f5bae8ec7179873bf6"]
+            );
+            assert_eq!(decrypted.domain_id, "did");
+            assert_eq!(decrypted.idp_id, "idp_id");
+            assert_eq!(decrypted.protocol_id, "oidc");
+            assert_eq!(decrypted.group_ids, vec!["g1", "g2"]);
+        } else {
+            panic!()
+        }
+    }
+
+    #[tokio::test]
+    async fn test_federation_domain_scope_roundtrip() {
+        let token = Token::FederationDomainScope(FederationDomainScopePayload {
+            user_id: Uuid::new_v4().simple().to_string(),
+            methods: vec!["password".into()],
+            domain_id: "pid".into(),
+            group_ids: vec!["g1".into()],
+            idp_id: "idp_id".into(),
+            protocol_id: "proto".into(),
+            audit_ids: vec!["Zm9vCg".into()],
+            expires_at: Local::now().trunc_subsecs(0).into(),
+        });
+
+        let mut backend = FernetTokenProvider::default();
+        let config = crate::tests::token::setup_config();
+        backend.set_config(config);
+        backend.load_keys().unwrap();
+
+        let encrypted = backend.encrypt(&token).unwrap();
+        let dec_token = backend.decrypt(&encrypted).unwrap();
+        assert_eq!(token, dec_token);
+    }
+
     #[tokio::test]
     async fn test_decrypt_application_credential() {
         let token = "gAAAAABnt11m57ZlI9JU0g2BKJw2EN-InbAIijcIG7SxvPATntgTlcTMwha-Fh7isNNIwDq2WaWglV1nYgftfoUK245ZnEJ0_gXaIhl6COhNommYv2Bs9PnJqfgrrxrIrB8rh4pfeyCtMkv5ePYgFFPyRFE37l3k7qL5p7qVhYT37yT1-K5lYAV0f6Vy70h3KX1HO0m6Rl90";
@@ -422,7 +603,7 @@ pub(super) mod tests {
 
     #[tokio::test]
     async fn test_application_credential_roundtrip() {
-        let token = Token::ApplicationCredential(ApplicationCredentialToken {
+        let token = Token::ApplicationCredential(ApplicationCredentialPayload {
             user_id: Uuid::new_v4().simple().to_string(),
             methods: vec!["application_credential".into()],
             project_id: Uuid::new_v4().simple().to_string(),
diff --git a/src/token/fernet_utils.rs b/src/token/fernet_utils.rs
index 4f90e3a4..41dc4342 100644
--- a/src/token/fernet_utils.rs
+++ b/src/token/fernet_utils.rs
@@ -109,19 +109,28 @@ pub fn read_uuid(rd: &mut &[u8]) -> Result<String, TokenProviderError> {
                             .as_simple()
                             .to_string());
                     }
+                    println!("1");
                 }
                 Marker::False => {
                     // This is not uuid
-                    if let Marker::Bin8 = read_marker(rd).map_err(ValueReadError::from)? {
-                        return Ok(String::from_utf8_lossy(&read_bin_data(
-                            read_pfix(rd)?.into(),
-                            rd,
-                        )?)
-                        .to_string());
+                    match read_marker(rd).map_err(ValueReadError::from)? {
+                        Marker::Bin8 => {
+                            return Ok(String::from_utf8_lossy(&read_bin_data(
+                                read_pfix(rd)?.into(),
+                                rd,
+                            )?)
+                            .to_string());
+                        }
+                        Marker::FixStr(len) => {
+                            return Ok(read_str_data(len.into(), rd)?);
+                        }
+                        other => {
+                            return Err(TokenProviderError::InvalidTokenUuidMarker(other));
+                        }
                     }
                 }
-                _ => {
-                    return Err(TokenProviderError::InvalidTokenUuid);
+                other => {
+                    return Err(TokenProviderError::InvalidTokenUuidMarker(other));
                 }
             }
         }
@@ -132,6 +141,7 @@ pub fn read_uuid(rd: &mut &[u8]) -> Result<String, TokenProviderError> {
             return Err(TokenProviderError::InvalidTokenUuidMarker(other));
         }
     }
+    println!("here");
     Err(TokenProviderError::InvalidTokenUuid)
 }
 
@@ -208,6 +218,34 @@ pub fn write_audit_ids<W: RmpWrite, I: IntoIterator<Item = String>>(
     Ok(())
 }
 
+/// Decode array of strings ids from the payload
+pub fn read_list_of_uuids(
+    rd: &mut &[u8],
+) -> Result<impl IntoIterator<Item = String> + use<>, TokenProviderError> {
+    if let Marker::FixArray(len) = read_marker(rd).map_err(ValueReadError::from)? {
+        let mut result: Vec<String> = Vec::new();
+        for _ in 0..len {
+            result.push(read_uuid(rd)?);
+        }
+        return Ok(result.into_iter());
+    }
+    Err(TokenProviderError::InvalidToken)
+}
+
+/// Encode array of bytes into the payload
+pub fn write_list_of_uuids<W: RmpWrite, I: IntoIterator<Item = V>, V: AsRef<str>>(
+    wd: &mut W,
+    data: I,
+) -> Result<(), TokenProviderError> {
+    let vals = Vec::from_iter(data);
+    write_array_len(wd, vals.len() as u32)
+        .map_err(|x| TokenProviderError::RmpEncode(x.to_string()))?;
+    for val in vals.iter() {
+        write_uuid(wd, val.as_ref())?;
+    }
+    Ok(())
+}
+
 #[cfg(test)]
 mod tests {
     use super::FernetUtils;
@@ -232,7 +270,7 @@ mod tests {
         write!(tmp_file, "foo").unwrap();
 
         let utils = FernetUtils {
-            key_repository: tmp_dir.into_path(),
+            key_repository: tmp_dir.keep(),
             ..Default::default()
         };
         let keys: Vec<String> = utils.load_keys_async().await.unwrap().into_iter().collect();
diff --git a/src/token/mod.rs b/src/token/mod.rs
index 4ef946a8..7dd0a241 100644
--- a/src/token/mod.rs
+++ b/src/token/mod.rs
@@ -21,6 +21,9 @@ use sea_orm::DatabaseConnection;
 pub mod application_credential;
 pub mod domain_scoped;
 pub mod error;
+pub mod federation_domain_scoped;
+pub mod federation_project_scoped;
+pub mod federation_unscoped;
 pub mod fernet;
 pub mod fernet_utils;
 pub mod project_scoped;
@@ -41,11 +44,11 @@ use crate::resource::{
 pub use error::TokenProviderError;
 use types::TokenBackend;
 
-pub use application_credential::ApplicationCredentialToken;
-pub use domain_scoped::{DomainScopeToken, DomainScopeTokenBuilder};
-pub use project_scoped::{ProjectScopeToken, ProjectScopeTokenBuilder};
+pub use application_credential::ApplicationCredentialPayload;
+pub use domain_scoped::{DomainScopePayload, DomainScopePayloadBuilder};
+pub use project_scoped::{ProjectScopePayload, ProjectScopePayloadBuilder};
 pub use types::Token;
-pub use unscoped::{UnscopedToken, UnscopedTokenBuilder};
+pub use unscoped::{UnscopedPayload, UnscopedPayloadBuilder};
 
 #[derive(Clone, Debug)]
 pub struct TokenProvider {
@@ -152,7 +155,7 @@ impl TokenApi for TokenProvider {
     {
         let token = if let Some(project) = project {
             Token::ProjectScope(
-                ProjectScopeTokenBuilder::default()
+                ProjectScopePayloadBuilder::default()
                     .user_id(user_id.as_ref())
                     .methods(methods.into_iter())
                     .audit_ids(audit_ids.into_iter())
@@ -170,7 +173,7 @@ impl TokenApi for TokenProvider {
             )
         } else if let Some(domain) = domain {
             Token::DomainScope(
-                DomainScopeTokenBuilder::default()
+                DomainScopePayloadBuilder::default()
                     .user_id(user_id.as_ref())
                     .methods(methods.into_iter())
                     .audit_ids(audit_ids.into_iter())
@@ -188,7 +191,7 @@ impl TokenApi for TokenProvider {
             )
         } else {
             Token::Unscoped(
-                UnscopedTokenBuilder::default()
+                UnscopedPayloadBuilder::default()
                     .user_id(user_id.as_ref())
                     .methods(methods.into_iter())
                     .audit_ids(audit_ids.into_iter())
@@ -419,7 +422,7 @@ mod tests {
 
     use crate::config::Config;
 
-    use crate::token::{DomainScopeToken, ProjectScopeToken, Token, UnscopedToken};
+    use crate::token::{DomainScopePayload, ProjectScopePayload, Token, UnscopedPayload};
 
     #[tokio::test]
     async fn test_populate_role_assignments() {
@@ -461,7 +464,7 @@ mod tests {
             .build()
             .unwrap();
 
-        let mut ptoken = Token::ProjectScope(ProjectScopeToken {
+        let mut ptoken = Token::ProjectScope(ProjectScopePayload {
             user_id: "bar".into(),
             project_id: "project_id".into(),
             ..Default::default()
@@ -484,7 +487,7 @@ mod tests {
             panic!("Not project scope");
         }
 
-        let mut dtoken = Token::DomainScope(DomainScopeToken {
+        let mut dtoken = Token::DomainScope(DomainScopePayload {
             user_id: "bar".into(),
             domain_id: "domain_id".into(),
             ..Default::default()
@@ -507,7 +510,7 @@ mod tests {
             panic!("Not domain scope");
         }
 
-        let mut utoken = Token::Unscoped(UnscopedToken {
+        let mut utoken = Token::Unscoped(UnscopedPayload {
             user_id: "bar".into(),
             ..Default::default()
         });
diff --git a/src/token/project_scoped.rs b/src/token/project_scoped.rs
index 74d27b2c..66129732 100644
--- a/src/token/project_scoped.rs
+++ b/src/token/project_scoped.rs
@@ -29,7 +29,7 @@ use crate::token::{
 
 #[derive(Builder, Clone, Debug, Default, PartialEq)]
 #[builder(setter(strip_option, into))]
-pub struct ProjectScopeToken {
+pub struct ProjectScopePayload {
     pub user_id: String,
     #[builder(default, setter(name = _methods))]
     pub methods: Vec<String>,
@@ -44,7 +44,7 @@ pub struct ProjectScopeToken {
     pub project: Option<Project>,
 }
 
-impl ProjectScopeTokenBuilder {
+impl ProjectScopePayloadBuilder {
     pub fn methods<I, V>(&mut self, iter: I) -> &mut Self
     where
         I: Iterator<Item = V>,
@@ -68,14 +68,14 @@ impl ProjectScopeTokenBuilder {
     }
 }
 
-impl From<ProjectScopeToken> for Token {
-    fn from(value: ProjectScopeToken) -> Self {
+impl From<ProjectScopePayload> for Token {
+    fn from(value: ProjectScopePayload) -> Self {
         Token::ProjectScope(value)
     }
 }
 
-impl MsgPackToken for ProjectScopeToken {
-    type Token = ProjectScopeToken;
+impl MsgPackToken for ProjectScopePayload {
+    type Token = ProjectScopePayload;
 
     fn assemble<W: Write>(
         &self,
@@ -127,7 +127,7 @@ mod tests {
 
     #[test]
     fn test_roundtrip() {
-        let token = ProjectScopeToken {
+        let token = ProjectScopePayload {
             user_id: Uuid::new_v4().simple().to_string(),
             methods: vec!["password".into()],
             project_id: Uuid::new_v4().simple().to_string(),
@@ -140,7 +140,7 @@ mod tests {
         token.assemble(&mut buf, &auth_map).unwrap();
         let encoded_buf = buf.clone();
         let decoded =
-            ProjectScopeToken::disassemble(&mut encoded_buf.as_slice(), &auth_map).unwrap();
+            ProjectScopePayload::disassemble(&mut encoded_buf.as_slice(), &auth_map).unwrap();
         assert_eq!(token, decoded);
     }
 }
diff --git a/src/token/types.rs b/src/token/types.rs
index 120b5466..5dbe5ba3 100644
--- a/src/token/types.rs
+++ b/src/token/types.rs
@@ -17,17 +17,23 @@ use dyn_clone::DynClone;
 
 use crate::config::Config;
 use crate::token::TokenProviderError;
-use crate::token::application_credential::ApplicationCredentialToken;
-use crate::token::domain_scoped::DomainScopeToken;
-use crate::token::project_scoped::ProjectScopeToken;
-use crate::token::unscoped::UnscopedToken;
+use crate::token::application_credential::ApplicationCredentialPayload;
+use crate::token::domain_scoped::DomainScopePayload;
+use crate::token::federation_domain_scoped::FederationDomainScopePayload;
+use crate::token::federation_project_scoped::FederationProjectScopePayload;
+use crate::token::federation_unscoped::FederationUnscopedPayload;
+use crate::token::project_scoped::ProjectScopePayload;
+use crate::token::unscoped::UnscopedPayload;
 
 #[derive(Clone, Debug, PartialEq)]
 pub enum Token {
-    Unscoped(UnscopedToken),
-    DomainScope(DomainScopeToken),
-    ProjectScope(ProjectScopeToken),
-    ApplicationCredential(ApplicationCredentialToken),
+    Unscoped(UnscopedPayload),
+    DomainScope(DomainScopePayload),
+    ProjectScope(ProjectScopePayload),
+    FederationUnscoped(FederationUnscopedPayload),
+    FederationProjectScope(FederationProjectScopePayload),
+    FederationDomainScope(FederationDomainScopePayload),
+    ApplicationCredential(ApplicationCredentialPayload),
 }
 
 impl Token {
@@ -36,6 +42,9 @@ impl Token {
             Token::Unscoped(x) => &x.user_id,
             Token::ProjectScope(x) => &x.user_id,
             Token::DomainScope(x) => &x.user_id,
+            Token::FederationUnscoped(x) => &x.user_id,
+            Token::FederationProjectScope(x) => &x.user_id,
+            Token::FederationDomainScope(x) => &x.user_id,
             Token::ApplicationCredential(x) => &x.user_id,
         }
     }
@@ -45,6 +54,9 @@ impl Token {
             Token::Unscoped(x) => &x.expires_at,
             Token::ProjectScope(x) => &x.expires_at,
             Token::DomainScope(x) => &x.expires_at,
+            Token::FederationUnscoped(x) => &x.expires_at,
+            Token::FederationProjectScope(x) => &x.expires_at,
+            Token::FederationDomainScope(x) => &x.expires_at,
             Token::ApplicationCredential(x) => &x.expires_at,
         }
     }
@@ -54,6 +66,9 @@ impl Token {
             Token::Unscoped(x) => &x.methods,
             Token::ProjectScope(x) => &x.methods,
             Token::DomainScope(x) => &x.methods,
+            Token::FederationUnscoped(x) => &x.methods,
+            Token::FederationProjectScope(x) => &x.methods,
+            Token::FederationDomainScope(x) => &x.methods,
             Token::ApplicationCredential(x) => &x.methods,
         }
     }
@@ -63,6 +78,9 @@ impl Token {
             Token::Unscoped(x) => &x.audit_ids,
             Token::ProjectScope(x) => &x.audit_ids,
             Token::DomainScope(x) => &x.audit_ids,
+            Token::FederationUnscoped(x) => &x.audit_ids,
+            Token::FederationProjectScope(x) => &x.audit_ids,
+            Token::FederationDomainScope(x) => &x.audit_ids,
             Token::ApplicationCredential(x) => &x.audit_ids,
         }
     }
diff --git a/src/token/unscoped.rs b/src/token/unscoped.rs
index aad4125b..ef75d68d 100644
--- a/src/token/unscoped.rs
+++ b/src/token/unscoped.rs
@@ -27,7 +27,7 @@ use crate::token::{
 
 #[derive(Builder, Clone, Debug, Default, PartialEq)]
 #[builder(setter(strip_option, into))]
-pub struct UnscopedToken {
+pub struct UnscopedPayload {
     pub user_id: String,
     #[builder(default, setter(name = _methods))]
     pub methods: Vec<String>,
@@ -36,7 +36,7 @@ pub struct UnscopedToken {
     pub expires_at: DateTime<Utc>,
 }
 
-impl UnscopedTokenBuilder {
+impl UnscopedPayloadBuilder {
     pub fn methods<I, V>(&mut self, iter: I) -> &mut Self
     where
         I: Iterator<Item = V>,
@@ -60,14 +60,14 @@ impl UnscopedTokenBuilder {
     }
 }
 
-impl From<UnscopedToken> for Token {
-    fn from(value: UnscopedToken) -> Self {
+impl From<UnscopedPayload> for Token {
+    fn from(value: UnscopedPayload) -> Self {
         Token::Unscoped(value)
     }
 }
 
-impl MsgPackToken for UnscopedToken {
-    type Token = UnscopedToken;
+impl MsgPackToken for UnscopedPayload {
+    type Token = UnscopedPayload;
 
     fn assemble<W: Write>(
         &self,
@@ -115,7 +115,7 @@ mod tests {
 
     #[test]
     fn test_roundtrip() {
-        let token = UnscopedToken {
+        let token = UnscopedPayload {
             user_id: Uuid::new_v4().simple().to_string(),
             methods: vec!["password".into()],
             audit_ids: vec!["Zm9vCg".into()],
@@ -125,7 +125,7 @@ mod tests {
         let mut buf = vec![];
         token.assemble(&mut buf, &auth_map).unwrap();
         let encoded_buf = buf.clone();
-        let decoded = UnscopedToken::disassemble(&mut encoded_buf.as_slice(), &auth_map).unwrap();
+        let decoded = UnscopedPayload::disassemble(&mut encoded_buf.as_slice(), &auth_map).unwrap();
         assert_eq!(token, decoded);
     }
 }