A token is issued on user-account level, meaning if the user has multiple account, each token will be related to a single account only.
When an API request is made with the token, Alaaqat first check the ability of the token and ensure the token has the needed ability to perform the action, then, Alaaqat also check the user permissions of the token owner. if the token doesn't have the required ability, or the user doesn't have the required permission, the request will return Forbidden 403 code.