diff --git a/policy/federation/token/check.rego b/policy/auth/token/show.rego
similarity index 63%
rename from policy/federation/token/check.rego
rename to policy/auth/token/show.rego
index 9bb2a9ba..bac9617c 100644
--- a/policy/federation/token/check.rego
+++ b/policy/auth/token/show.rego
@@ -1,8 +1,8 @@
-package identity.check_token
+package identity.auth.token.show
 
 import data.identity
 
-# Update mapping.
+# Validate the token
 
 default allow := false
 
@@ -11,14 +11,16 @@ allow if {
 }
 
 allow if {
-	"reader" in input.credentials.roles
-	"all" in input.credentials.system_scope
+	"service" in input.credentials.roles
 }
 
 allow if {
-	identity.token_subject
+	"reader" in input.credentials.roles
+	input.credentials.system_scope != null
+	"all" == input.credentials.system_scope
 }
 
 allow if {
-	"service" in input.credentials.roles
+	identity.token_subject
 }
+
diff --git a/policy/auth/token/show_test.rego b/policy/auth/token/show_test.rego
new file mode 100644
index 00000000..2d638699
--- /dev/null
+++ b/policy/auth/token/show_test.rego
@@ -0,0 +1,19 @@
+
+package test_auth_token_show
+
+import data.identity.auth.token.show
+
+test_allowed if {
+	show.allow with input as {"credentials": {"roles": ["admin"]}}
+	show.allow with input as {"credentials": {"roles": ["service"]}}
+	show.allow with input as {"credentials": {"roles": ["reader"], "system_scope": "all"}}
+	show.allow with input as {"credentials": {"user_id": "foo"}, "target": {"token": {"user_id": "foo"}}}
+	show.allow with input as {"credentials": {"roles": ["admin"], "user_id": "foo"}, "target": {"token": {"user_id": "bar"}}}
+}
+
+test_forbidden if {
+	not show.allow with input as {"credentials": {"roles": ["reader"], "system_scope": "not_all"}}
+	not show.allow with input as {"credentials": {"roles": ["manager"], "user_id": "foo"}, "target": {"token": {"user_id": "bar"}}}
+	not show.allow with input as {"credentials": {"roles": ["member"], "user_id": "foo"}, "target": {"token": {"user_id": "bar"}}}
+	not show.allow with input as {"credentials": {"roles": ["reader"], "user_id": "foo"}, "target": {"token": {"user_id": "bar"}}}
+}
diff --git a/policy/federation/token/validate.rego b/policy/federation/token/validate.rego
deleted file mode 100644
index 68eaccef..00000000
--- a/policy/federation/token/validate.rego
+++ /dev/null
@@ -1,24 +0,0 @@
-package identity.validate_token
-
-import data.identity
-
-# Update mapping.
-
-default allow := false
-
-allow if {
-	"admin" in input.credentials.roles
-}
-
-allow if {
-	"reader" in input.credentials.roles
-	"all" in input.credentials.system_scope
-}
-
-allow if {
-	identity.token_subject
-}
-
-allow if {
-	"service" in input.credentials.roles
-}
diff --git a/src/api/v3/auth/token/mod.rs b/src/api/v3/auth/token/mod.rs
index e64927f1..0619f160 100644
--- a/src/api/v3/auth/token/mod.rs
+++ b/src/api/v3/auth/token/mod.rs
@@ -257,7 +257,7 @@ async fn show(
 
     policy
         .enforce(
-            "identity/validate_token",
+            "identity/auth/token/show",
             &user_auth,
             to_value(json!({"token": &token}))?,
             None,