diff --git a/openid-connect-common/src/main/java/org/mitre/oauth2/model/OAuth2AccessTokenEntity.java b/openid-connect-common/src/main/java/org/mitre/oauth2/model/OAuth2AccessTokenEntity.java
index 4a93a9bfd..b979a7daf 100644
--- a/openid-connect-common/src/main/java/org/mitre/oauth2/model/OAuth2AccessTokenEntity.java
+++ b/openid-connect-common/src/main/java/org/mitre/oauth2/model/OAuth2AccessTokenEntity.java
@@ -36,14 +36,17 @@ import javax.persistence.GeneratedValue;
 import javax.persistence.GenerationType;
 import javax.persistence.Id;
 import javax.persistence.JoinColumn;
+import javax.persistence.JoinTable;
 import javax.persistence.ManyToOne;
 import javax.persistence.NamedQueries;
 import javax.persistence.NamedQuery;
+import javax.persistence.OneToMany;
 import javax.persistence.OneToOne;
 import javax.persistence.Table;
 import javax.persistence.Temporal;
 import javax.persistence.Transient;
 
+import org.mitre.uma.model.Permission;
 import org.springframework.security.oauth2.common.OAuth2AccessToken;
 import org.springframework.security.oauth2.common.OAuth2AccessTokenJackson1Deserializer;
 import org.springframework.security.oauth2.common.OAuth2AccessTokenJackson1Serializer;
@@ -109,6 +112,8 @@ public class OAuth2AccessTokenEntity implements OAuth2AccessToken {
 	private OAuth2RefreshTokenEntity refreshToken;
 
 	private Set<String> scope;
+	
+	private Set<Permission> permissions;
 
 	/**
 	 * Create a new, blank access token
@@ -321,4 +326,24 @@ public class OAuth2AccessTokenEntity implements OAuth2AccessToken {
 		}
 	}
 
+	/**
+	 * @return the permissions
+	 */
+	@OneToMany(fetch = FetchType.EAGER, cascade = CascadeType.ALL)
+	@JoinTable(
+			name = "access_token_permissions",
+			joinColumns = @JoinColumn(name = "access_token_id"),
+			inverseJoinColumns = @JoinColumn(name = "permission_id")
+	)
+	public Set<Permission> getPermissions() {
+		return permissions;
+	}
+
+	/**
+	 * @param permissions the permissions to set
+	 */
+	public void setPermissions(Set<Permission> permissions) {
+		this.permissions = permissions;
+	}
+
 }
diff --git a/openid-connect-server-webapp/src/main/resources/db/tables/hsql_database_tables.sql b/openid-connect-server-webapp/src/main/resources/db/tables/hsql_database_tables.sql
index 185e98a67..6432f37c7 100644
--- a/openid-connect-server-webapp/src/main/resources/db/tables/hsql_database_tables.sql
+++ b/openid-connect-server-webapp/src/main/resources/db/tables/hsql_database_tables.sql
@@ -14,6 +14,11 @@ CREATE TABLE IF NOT EXISTS access_token (
 	approved_site_id BIGINT
 );
 
+CREATE TABLE IF NOT EXISTS access_token_permissions (
+	access_token_id BIGINT NOT NULL,
+	permission_id BIGINT NOT NULL
+);
+
 CREATE TABLE IF NOT EXISTS address (
 	id BIGINT GENERATED BY DEFAULT AS IDENTITY(START WITH 1) PRIMARY KEY,
 	formatted VARCHAR(256),
