Use the current authorization framework to create a user-access matrix for all the projects. This will eliminate the need for "tokens" and make the the schema simple.
To clarify this will eliminate the tokens used to identify Project, not the tokens that identify Users. Hopefully that will also eliminate some confusion regarding the schema.
Use the current authorization framework to create a user-access matrix for all the projects. This will eliminate the need for "tokens" and make the the schema simple.