For context, I've worked on important authorization systems and there are many things that I have considered. Perhaps someone else will point out my shortcomings here