Abstract: A system receives a request for a user authorization token for a user by a client device. The system generates the user authorization token using a configuration file that has a version identifier and specifies user permissions to access data in a set of data classes. The system transmits the user authorization token to the client device. The system receives a request to perform an action on data in a data class. The request includes the user authorization token including indicia of the version identifier. The system determines whether the user authorization token is invalid based on the version identifier of the user authorization token and determines whether the user has permissions to perform the action on the data in the data class based on the user authorization token. The system allows or disallows the request to perform the action on the data in the data class.