From ddcf3e181014015f2fda32a31f8b25e762071ebc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nikola=20Vetni=C4=87?=
 <62119280+NikolaVetnic@users.noreply.github.com>
Date: Wed, 16 Oct 2024 07:34:20 +0200
Subject: [PATCH] Consumer API: Password-protected Tokens (#909)

* feat: implement password protected tokens

* chore: remove unused methods

* chore: remove empty line

* test: add tests for anonymous user fetching tokens

* fix: add check for existing allocations to relationship template CanBeCollectedWithPassword expression

* chore: add explaining comments to password checks in Token.cs

* refactor: don't use queryable extensions; instead use expressions in entity

* refactor: remove redundant "when not null" check from validator

* refactor: rename things

* fix: re-add check for "password is not null" to validators

* test: add can be collected with password tests

* test: check for status code in get multiple templates feature file

* test: check for status code in get multiple tokens feature file

* fix: don't throw ArgumentNullException in ReplaceExpressionVisitor

* test: fix naming

* fix: use correct error message in validator tests

* fix: use correct error message in CreateToken validator tests

* test: add tests for anonymous user

---------

Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
Co-authored-by: Timo Notheisen <timo.notheisen@js-soft.com>
---
 .../RelationshipTemplates/GET.feature         |   5 +-
 .../RelationshipTemplates/POST.feature        |   2 +-
 .../RelationshipTemplates/{id}/GET.feature    |   2 +-
 .../Features/Tokens/GET.feature               |  73 +++++----
 .../Features/Tokens/POST.feature              |  12 ++
 .../Features/Tokens/{id}/GET.feature          |  54 ++++---
 .../RelationshipTemplatesStepDefinitions.cs   |  12 +-
 .../StepDefinitions/TokensStepDefinitions.cs  | 142 +++++++++++-------
 .../Extensions/ExpressionExtensions.cs        |  10 +-
 .../IRelationshipTemplatesRepository.cs       |   2 +-
 .../Validator.Tests.cs                        |   2 +-
 .../CreateRelationshipTemplate/Validator.cs   |   3 +-
 .../GetRelationshipTemplate/Validator.cs      |   2 +-
 .../ListRelationshipTemplates/Handler.cs      |   2 +-
 .../ListRelationshipTemplatesQuery.cs         |   6 +-
 .../Validator.Tests.cs                        |   7 +-
 .../ListRelationshipTemplates/Validator.cs    |   2 +-
 .../RelationshipTemplatesController.cs        |   6 +-
 ...mplate.CanBeCollectedByExpressionTests.cs} |   1 +
 ...plate.CanBeCollectedUsingPasswordTests.cs} |   2 +-
 .../RelationshipTemplate.cs                   |  14 +-
 .../RelationshipTemplatesRepository.cs        |   2 +-
 .../Repository/ITokensRepository.cs           |   8 +-
 .../CreateToken/CreateTokenCommand.cs         |   1 +
 .../Tokens/Commands/CreateToken/Handler.cs    |   2 +-
 .../Tokens/Commands/CreateToken/Validator.cs  |   3 +
 .../Tokens/Queries/GetToken/GetTokenQuery.cs  |   1 +
 .../Tokens/Queries/GetToken/Handler.cs        |  13 +-
 .../Tokens/Queries/GetToken/Validator.cs      |   2 +
 .../Tokens/Queries/ListTokens/Handler.cs      |   3 +-
 .../Queries/ListTokens/ListTokensQuery.cs     |  12 +-
 .../Tokens/Queries/ListTokens/Validator.cs    |  20 ++-
 .../Controllers/TokensController.cs           |  33 +++-
 .../src/Tokens.Domain/Entities/Token.cs       |  32 +++-
 ...41011123029_AddPasswordToToken.Designer.cs |  77 ++++++++++
 .../20241011123029_AddPasswordToToken.cs      |  31 ++++
 .../TokensDbContextModelSnapshot.cs           |   6 +-
 ...41011123022_AddPasswordToToken.Designer.cs |  77 ++++++++++
 .../20241011123022_AddPasswordToToken.cs      |  31 ++++
 .../TokensDbContextModelSnapshot.cs           |   6 +-
 .../TokenEntityTypeConfiguration.cs           |   2 +
 .../Repository/TokensRepository.cs            |  30 +++-
 .../Tokens/CreateToken/ValidatorTests.cs      |  39 ++++-
 .../TestHelpers/TestData.cs                   |   4 +-
 .../TokenCanBeCollectedUsingPasswordTests.cs  | 102 +++++++++++++
 .../RelationshipTemplatesEndpoint.cs          |   4 +-
 ... => ListRelationshipTemplatesQueryItem.cs} |   2 +-
 .../src/Endpoints/Tokens/TokensEndpoint.cs    |  14 +-
 .../Types/Requests/CreateTokenRequest.cs      |   1 +
 .../Types/Requests/ListTokensQueryItem.cs     |   7 +
 50 files changed, 748 insertions(+), 178 deletions(-)
 rename Modules/Relationships/src/Relationships.Domain/Aggregates/RelationshipTemplates/{RelationshipTemplate.CanBeCollectedByTests.cs => RelationshipTemplate.CanBeCollectedByExpressionTests.cs} (99%)
 rename Modules/Relationships/src/Relationships.Domain/Aggregates/RelationshipTemplates/{RelationshipTemplate.CanBeCollectedWithPasswordTests.cs => RelationshipTemplate.CanBeCollectedUsingPasswordTests.cs} (96%)
 create mode 100644 Modules/Tokens/src/Tokens.Infrastructure.Database.Postgres/Migrations/20241011123029_AddPasswordToToken.Designer.cs
 create mode 100644 Modules/Tokens/src/Tokens.Infrastructure.Database.Postgres/Migrations/20241011123029_AddPasswordToToken.cs
 create mode 100644 Modules/Tokens/src/Tokens.Infrastructure.Database.SqlServer/Migrations/20241011123022_AddPasswordToToken.Designer.cs
 create mode 100644 Modules/Tokens/src/Tokens.Infrastructure.Database.SqlServer/Migrations/20241011123022_AddPasswordToToken.cs
 create mode 100644 Modules/Tokens/test/Tokens.Domain.Tests/Tests/TokenCanBeCollectedUsingPasswordTests.cs
 rename Sdks/ConsumerApi.Sdk/src/Endpoints/RelationshipTemplates/Types/Requests/{RelationshipTemplateQueryItem.cs => ListRelationshipTemplatesQueryItem.cs} (78%)
 create mode 100644 Sdks/ConsumerApi.Sdk/src/Endpoints/Tokens/Types/Requests/ListTokensQueryItem.cs

diff --git a/Applications/ConsumerApi/test/ConsumerApi.Tests.Integration/Features/RelationshipTemplates/GET.feature b/Applications/ConsumerApi/test/ConsumerApi.Tests.Integration/Features/RelationshipTemplates/GET.feature
index 6f825a614b..8fa82d97bd 100644
--- a/Applications/ConsumerApi/test/ConsumerApi.Tests.Integration/Features/RelationshipTemplates/GET.feature
+++ b/Applications/ConsumerApi/test/ConsumerApi.Tests.Integration/Features/RelationshipTemplates/GET.feature
@@ -21,7 +21,7 @@ User requests Relationship Templates
           | rt12         | i2            | i3          | -        |
           | rt13         | i2            | i3          | password |
           | rt14         | i2            | i3          | password |
-        When <activeIdentity> sends a GET request to the /RelationshipTemplate endpoint with the following payloads
+        When <activeIdentity> sends a GET request to the /RelationshipTemplates endpoint with the following payloads
           | templateName | passwordOnGet |
           | rt1          | -             |
           | rt2          | -             |
@@ -37,7 +37,8 @@ User requests Relationship Templates
           | rt12         | -             |
           | rt13         | password      |
           | rt14         | wordpass      |
-        Then the response contains Relationship Template(s) <retreivedTemplates>
+        Then the response status code is 200 (OK)
+        And the response contains Relationship Template(s) <retreivedTemplates>
 
         Examples:
           | activeIdentity | retreivedTemplates                                              |
diff --git a/Applications/ConsumerApi/test/ConsumerApi.Tests.Integration/Features/RelationshipTemplates/POST.feature b/Applications/ConsumerApi/test/ConsumerApi.Tests.Integration/Features/RelationshipTemplates/POST.feature
index 02b8277a45..c45599a507 100644
--- a/Applications/ConsumerApi/test/ConsumerApi.Tests.Integration/Features/RelationshipTemplates/POST.feature
+++ b/Applications/ConsumerApi/test/ConsumerApi.Tests.Integration/Features/RelationshipTemplates/POST.feature
@@ -17,5 +17,5 @@ User creates a Relationship Template
 
 	Scenario: Create a personalized Relationship Template with a password
 		Given Identities i1 and i2
-		When i1 sends a POST request to the /RelationshipTemplate endpoint with password "my-password" and forIdentity i2
+		When i1 sends a POST request to the /RelationshipTemplates endpoint with password "my-password" and forIdentity i2
 		Then the response status code is 201 (Created)
diff --git a/Applications/ConsumerApi/test/ConsumerApi.Tests.Integration/Features/RelationshipTemplates/{id}/GET.feature b/Applications/ConsumerApi/test/ConsumerApi.Tests.Integration/Features/RelationshipTemplates/{id}/GET.feature
index 4bfdea34f0..f01f8d595e 100644
--- a/Applications/ConsumerApi/test/ConsumerApi.Tests.Integration/Features/RelationshipTemplates/{id}/GET.feature
+++ b/Applications/ConsumerApi/test/ConsumerApi.Tests.Integration/Features/RelationshipTemplates/{id}/GET.feature
@@ -6,7 +6,7 @@ User requests a Relationship Template
     Scenario Outline: Requesting a Relationship Template in a variety of scenarios
         Given Identities <givenIdentities>
         And Relationship Template rt created by <templateOwner> with password "<password>" and forIdentity <forIdentity>
-        When <activeIdentity> sends a GET request to the /RelationshipTemplate/rt.Id endpoint with password "<passwordOnGet>"
+        When <activeIdentity> sends a GET request to the /RelationshipTemplates/rt.Id endpoint with password "<passwordOnGet>"
         Then the response status code is <responseStatusCode>
 
         Examples:
diff --git a/Applications/ConsumerApi/test/ConsumerApi.Tests.Integration/Features/Tokens/GET.feature b/Applications/ConsumerApi/test/ConsumerApi.Tests.Integration/Features/Tokens/GET.feature
index c912abd56d..7beb1f1302 100644
--- a/Applications/ConsumerApi/test/ConsumerApi.Tests.Integration/Features/Tokens/GET.feature
+++ b/Applications/ConsumerApi/test/ConsumerApi.Tests.Integration/Features/Tokens/GET.feature
@@ -3,37 +3,46 @@ Feature: GET /Tokens
 
 User requests multiple Tokens
 
-    Scenario: Requesting a list of own Tokens
-        Given Identity i
-        And Tokens t1 and t2 belonging to i
-        When i sends a GET request to the /Tokens endpoint with the ids of t1 and t2
+    Scenario Outline: Requesting a list of Tokens in a variety of scenarios
+        Given Identities i1, i2, i3 and i4
+        And the following Tokens
+          | tokenName | tokenOwner | forIdentity | password |
+          | rt1       | i1         | -           | -        |
+          | rt2       | i2         | -           | -        |
+          | rt3       | i1         | -           | -        |
+          | rt4       | i2         | -           | -        |
+          | rt5       | i1         | -           | password |
+          | rt6       | i1         | -           | password |
+          | rt7       | i2         | -           | password |
+          | rt8       | i2         | -           | password |
+          | rt9       | i1         | i1          | -        |
+          | rt10      | i2         | i3          | -        |
+          | rt11      | i2         | i2          | -        |
+          | rt12      | i2         | i3          | -        |
+          | rt13      | i2         | i3          | password |
+          | rt14      | i2         | i3          | password |
+        When <activeIdentity> sends a GET request to the /Tokens endpoint with the following payloads
+          | tokenName | passwordOnGet |
+          | rt1       | -             |
+          | rt2       | -             |
+          | rt3       | password      |
+          | rt4       | password      |
+          | rt5       | password      |
+          | rt6       | -             |
+          | rt7       | password      |
+          | rt8       | -             |
+          | rt9       | -             |
+          | rt10      | -             |
+          | rt11      | -             |
+          | rt12      | -             |
+          | rt13      | password      |
+          | rt14      | wordpass      |
         Then the response status code is 200 (OK)
-        And the response contains the Tokens t1 and t2
+        And the response contains Token(s) <retreivedTokens>
 
-    Scenario: Requesting an own Token and a Token belonging to another identity
-        Given Identities i1 and i2
-        And Token t1 belonging to i1
-        And Token t2 belonging to i2
-        When i1 sends a GET request to the /Tokens endpoint with the ids of t1 and t2
-        Then the response status code is 200 (OK)
-        And the response contains the Tokens t1 and t2
-
-    Scenario: Requesting a list of Tokens contains tokens with ForIdentity which were created by me
-        Given Identities i1 and i2
-        And Token t belonging to i1 where ForIdentity is the address of i2
-        When i1 sends a GET request to the /Tokens endpoint with the ids of t
-        Then the response status code is 200 (Ok)
-        And the response contains the Token t
-
-    Scenario: Requesting a list of Tokens contains tokens with ForIdentity which were created for me
-        Given Identities i1 and i2
-        And Token t belonging to i1 where ForIdentity is the address of i2
-        When i2 sends a GET request to the /Tokens endpoint with the ids of t
-        Then the response status code is 200 (Ok)
-        And the response contains the Token t
-
-    Scenario: Requesting a list of Tokens does not contain tokens with ForIdentity which were created for someone else
-        Given Identities i1, i2 and i3
-        And Token t belonging to i1 where ForIdentity is the address of i2
-        When i3 sends a GET request to the /Tokens endpoint with the ids of t
-        Then the response does not contain the Token t
+        Examples:
+          | activeIdentity | retreivedTokens                                                 |
+          | i1             | rt1, rt2, rt3, rt4, rt5, rt6, rt7, rt9                          |
+          | i2             | rt1, rt2, rt3, rt4, rt5, rt7, rt8, rt10, rt11, rt12, rt13, rt14 |
+          | i3             | rt1, rt2, rt3, rt4, rt5, rt7, rt10, rt12, rt13                  |
+          | i4             | rt1, rt2, rt3, rt4, rt5, rt7                                    |
diff --git a/Applications/ConsumerApi/test/ConsumerApi.Tests.Integration/Features/Tokens/POST.feature b/Applications/ConsumerApi/test/ConsumerApi.Tests.Integration/Features/Tokens/POST.feature
index ef9811d5b1..fdaa5c46f0 100644
--- a/Applications/ConsumerApi/test/ConsumerApi.Tests.Integration/Features/Tokens/POST.feature
+++ b/Applications/ConsumerApi/test/ConsumerApi.Tests.Integration/Features/Tokens/POST.feature
@@ -12,3 +12,15 @@ User creates a Token
     Scenario: Creating a Token as an anonymous user
         When an anonymous user sends a POST request to the /Tokens endpoint
         Then the response status code is 401 (Unauthorized)
+
+    Scenario: Creating a Token with a password
+		Given Identity i
+		When i sends a POST request to the /Tokens endpoint with the password "password"
+		Then the response status code is 201 (Created)
+        And the response contains a CreateTokenResponse
+
+	Scenario: Create a personalized Token with a password
+		Given Identities i1 and i2
+		When i1 sends a POST request to the /Tokens endpoint with password "password" and forIdentity i2
+		Then the response status code is 201 (Created)
+        And the response contains a CreateTokenResponse
diff --git a/Applications/ConsumerApi/test/ConsumerApi.Tests.Integration/Features/Tokens/{id}/GET.feature b/Applications/ConsumerApi/test/ConsumerApi.Tests.Integration/Features/Tokens/{id}/GET.feature
index a7976eb875..1b1c5d0885 100644
--- a/Applications/ConsumerApi/test/ConsumerApi.Tests.Integration/Features/Tokens/{id}/GET.feature
+++ b/Applications/ConsumerApi/test/ConsumerApi.Tests.Integration/Features/Tokens/{id}/GET.feature
@@ -3,29 +3,33 @@ Feature: GET /Tokens/{id}
 
 User requests a Token
 
-    Scenario: Requesting an own Token as an authenticated user
-        Given Identity i
-        And Token t belonging to i
-        When i sends a GET request to the /Tokens/{id} endpoint with t.Id
-        Then the response status code is 200 (OK)
-        And the response contains a Token
+	Scenario Outline: Requesting a Token in a variety of scenarios
+		Given Identities <givenIdentities>
+		And Token t created by <tokenOwner> with password "<password>" and forIdentity <forIdentity>
+		When <activeIdentity> sends a GET request to the /Tokens/t.Id endpoint with password "<passwordOnGet>"
+		Then the response status code is <responseStatusCode>
 
-    Scenario: Requesting an own Token as an anonymous user
-        Given Identity i
-        And Token t belonging to i
-        When an anonymous user sends a GET request to the /Tokens/{id} endpoint with t.Id
-        Then the response status code is 200 (OK)
-        And the response contains a Token
-
-    Scenario: Requesting a Token of another Identity as an authenticated user
-        Given Identities i1 and i2
-        And Token t belonging to i2
-        When i1 sends a GET request to the /Tokens/{id} endpoint with t.Id
-        Then the response status code is 200 (OK)
-        And the response contains a Token
-
-    Scenario: Requesting a nonexistent Token
-        Given Identity i
-        When i sends a GET request to the /Tokens/{id} endpoint with "TOKthisisnonexisting"
-        Then the response status code is 404 (Not Found)
-        And the response content contains an error with the error code "error.platform.recordNotFound"
+		Examples:
+			| givenIdentities | tokenOwner | forIdentity | password | activeIdentity | passwordOnGet | responseStatusCode | description                                                       |
+			| i               | i          | -           | -        | i              | -             | 200 (OK)           | owner tries to get                                                |
+			| i1 and i2       | i1         | -           | -        | i2             | -             | 200 (OK)           | non-owner tries to get                                            |
+			| i               | i          | -           | -        | -              | -             | 200 (OK)           | anonymous user tries to get                                       |
+			| i               | i          | -           | -        | i              | password      | 200 (OK)           | owner passes password even though none is set                     |
+			| i1 and i2       | i1         | -           | -        | i2             | password      | 200 (OK)           | non-owner identity passes password even though none is set        |
+			| i               | i          | -           | -        | -              | password      | 200 (OK)           | anonymous user passes password even though none is set            |
+			| i               | i          | -           | password | i              | password      | 200 (OK)           | owner passes correct password                                     |
+			| i               | i          | -           | password | i              | -             | 200 (OK)           | owner doesn't pass password, even though one is set               |
+			| i1 and i2       | i1         | -           | password | i2             | password      | 200 (OK)           | non-owner identity passes correct password                        |
+			| i1 and i2       | i1         | -           | password | i2             | -             | 404 (Not Found)    | non-owner identity passes no password even though one is set      |
+			| i               | i          | -           | password | -              | password      | 200 (OK)           | anonymous user passes correct password                            |
+			| i               | i          | -           | password | -              | -             | 404 (Not Found)    | anonymous user doesn't pass password, even though one is set      |
+			| i               | i          | i           | -        | i              | -             | 200 (OK)           | owner is forIdentity and tries to get                             |
+			| i1 and i2       | i1         | i2          | -        | i1             | -             | 200 (OK)           | non-owner is forIdentity, creator tries to get                    |
+			| i1 and i2       | i1         | i1          | -        | i2             | -             | 404 (Not Found)    | owner is forIdentity and non-owner tries to get                   |
+			| i               | i          | i           | -        | -              | -             | 404 (Not Found)    | owner is forIdentity and anonymous user tries to get              |
+			| i1 and i2       | i1         | i2          | -        | i2             | -             | 200 (OK)           | non-owner is forIdentity and tries to get                         |
+			| i               | i          | i           | -        | -              | -             | 404 (Not Found)    | forIdentity is set and anonymous user tries to get                |
+			| i1 and i2       | i1         | i2          | password | i2             | password      | 200 (OK)           | non-owner is forIdentity and tries to get with correct password   |
+			| i1 and i2       | i1         | i2          | password | i2             | wordpass      | 404 (Not Found)    | non-owner is forIdentity and tries to get with incorrect password |
+			| i1, i2 and i3   | i1         | i2          | password | i3             | password      | 404 (Not Found)    | non-owner is forIdentity, and thirdParty tries to get             |
+			| i1 and i2       | i1         | i2          | password | -              | password      | 404 (Not Found)    | non-owner is forIdentity, and anonymous user tries to get         |
diff --git a/Applications/ConsumerApi/test/ConsumerApi.Tests.Integration/StepDefinitions/RelationshipTemplatesStepDefinitions.cs b/Applications/ConsumerApi/test/ConsumerApi.Tests.Integration/StepDefinitions/RelationshipTemplatesStepDefinitions.cs
index a1f37d92f7..010880e18f 100644
--- a/Applications/ConsumerApi/test/ConsumerApi.Tests.Integration/StepDefinitions/RelationshipTemplatesStepDefinitions.cs
+++ b/Applications/ConsumerApi/test/ConsumerApi.Tests.Integration/StepDefinitions/RelationshipTemplatesStepDefinitions.cs
@@ -45,7 +45,7 @@ public async Task GivenRelationshipTemplateCreatedByTokenOwnerWithPasswordAndFor
     }
 
     [Given(@"the following Relationship Templates")]
-    public async Task GivenRelationshipTemplatesWithTheFollowingProperties(Table table)
+    public async Task GivenTheFollowingRelationshipTemplates(Table table)
     {
         var relationshipTemplatePropertiesSet = table.CreateSet<RelationshipTemplateProperties>();
 
@@ -85,7 +85,7 @@ public async Task WhenIdentitySendsAPostRequestToTheRelationshipTemplatesEndpoin
             new CreateRelationshipTemplateRequest { Content = TestData.SOME_BYTES, Password = password });
     }
 
-    [When($@"{RegexFor.SINGLE_THING} sends a POST request to the /RelationshipTemplate endpoint with password ""(.*)"" and forIdentity {RegexFor.SINGLE_THING}")]
+    [When($@"{RegexFor.SINGLE_THING} sends a POST request to the /RelationshipTemplates endpoint with password ""(.*)"" and forIdentity {RegexFor.SINGLE_THING}")]
     public async Task WhenIdentitySendsAPostRequestToTheRelationshipTemplatesEndpointWithPasswordAndForIdentity(string identityName, string passwordString, string forIdentityName)
     {
         var client = _clientPool.FirstForIdentityName(identityName);
@@ -96,7 +96,7 @@ public async Task WhenIdentitySendsAPostRequestToTheRelationshipTemplatesEndpoin
             new CreateRelationshipTemplateRequest { Content = TestData.SOME_BYTES, ForIdentity = forClient.IdentityData!.Address, Password = password });
     }
 
-    [When($@"{RegexFor.SINGLE_THING} sends a GET request to the /RelationshipTemplate/{RegexFor.SINGLE_THING}.Id endpoint with password ""([^""]*)""")]
+    [When($@"{RegexFor.SINGLE_THING} sends a GET request to the /RelationshipTemplates/{RegexFor.SINGLE_THING}.Id endpoint with password ""([^""]*)""")]
     public async Task WhenIdentitySendsAGetRequestToTheRelationshipTemplatesIdEndpointWithPassword(string identityName, string relationshipTemplateName, string password)
     {
         var client = _clientPool.FirstForIdentityName(identityName);
@@ -108,8 +108,8 @@ public async Task WhenIdentitySendsAGetRequestToTheRelationshipTemplatesIdEndpoi
             : await client.RelationshipTemplates.GetTemplate(relationshipTemplateId);
     }
 
-    [When($@"{RegexFor.SINGLE_THING} sends a GET request to the /RelationshipTemplate endpoint with the following payloads")]
-    public async Task WhenISendsAGETRequestToTheRelationshipTemplateEndpointWithTheFollowingPayloads(string identityName, Table table)
+    [When($@"{RegexFor.SINGLE_THING} sends a GET request to the /RelationshipTemplates endpoint with the following payloads")]
+    public async Task WhenISendsAGETRequestToTheRelationshipTemplatesEndpointWithTheFollowingPayloads(string identityName, Table table)
     {
         var client = _clientPool.FirstForIdentityName(identityName);
 
@@ -120,7 +120,7 @@ public async Task WhenISendsAGETRequestToTheRelationshipTemplateEndpointWithTheF
             var relationshipTemplateId = _relationshipTemplatesContext.CreateRelationshipTemplatesResponses[payload.TemplateName].Id;
             var password = payload.PasswordOnGet == "-" ? null : Convert.FromBase64String(payload.PasswordOnGet.Trim());
 
-            return new RelationshipTemplateQueryItem { Id = relationshipTemplateId, Password = password };
+            return new ListRelationshipTemplatesQueryItem { Id = relationshipTemplateId, Password = password };
         }).ToList();
 
         _responseContext.WhenResponse = _listRelationshipTemplatesResponse = await client.RelationshipTemplates.ListTemplates(queryItems);
diff --git a/Applications/ConsumerApi/test/ConsumerApi.Tests.Integration/StepDefinitions/TokensStepDefinitions.cs b/Applications/ConsumerApi/test/ConsumerApi.Tests.Integration/StepDefinitions/TokensStepDefinitions.cs
index 92e4063e58..3b847b36ef 100644
--- a/Applications/ConsumerApi/test/ConsumerApi.Tests.Integration/StepDefinitions/TokensStepDefinitions.cs
+++ b/Applications/ConsumerApi/test/ConsumerApi.Tests.Integration/StepDefinitions/TokensStepDefinitions.cs
@@ -1,9 +1,11 @@
-using Backbone.BuildingBlocks.SDK.Endpoints.Common.Types;
+using System.Diagnostics.CodeAnalysis;
+using System.Text;
+using Backbone.BuildingBlocks.SDK.Endpoints.Common.Types;
 using Backbone.ConsumerApi.Sdk.Endpoints.Tokens.Types.Requests;
 using Backbone.ConsumerApi.Sdk.Endpoints.Tokens.Types.Responses;
 using Backbone.ConsumerApi.Tests.Integration.Contexts;
-using Backbone.ConsumerApi.Tests.Integration.Extensions;
 using Backbone.ConsumerApi.Tests.Integration.Helpers;
+using TechTalk.SpecFlow.Assist;
 
 namespace Backbone.ConsumerApi.Tests.Integration.StepDefinitions;
 
@@ -31,47 +33,41 @@ public TokensStepDefinitions(ResponseContext responseContext, TokensContext toke
 
     #region Given
 
-    [Given($"Tokens? {RegexFor.LIST_OF_THINGS} belonging to {RegexFor.SINGLE_THING}")]
-    public async Task GivenTheIdentityCreatedMultipleTokens(string tokenNames, string identityName)
+    [Given($@"Token {RegexFor.SINGLE_THING} created by {RegexFor.SINGLE_THING} with password ""([^""]*)"" and forIdentity {RegexFor.OPTIONAL_SINGLE_THING}")]
+    public async Task GivenRelationshipTemplateCreatedByTokenOwnerWithPasswordAndForIdentity(string relationshipTemplateName, string identityName, string passwordString, string forIdentityName)
     {
-        foreach (var tokenName in Utils.SplitNames(tokenNames))
-        {
-            var client = _clientPool.FirstForIdentityName(identityName);
+        var client = _clientPool.FirstForIdentityName(identityName);
+        var forClient = forIdentityName != "-" ? _clientPool.FirstForIdentityName(forIdentityName).IdentityData!.Address : null;
+        var password = passwordString.Trim() != "-" ? Convert.FromBase64String(passwordString.Trim()) : null;
 
-            var response = await client.Tokens.CreateToken(new CreateTokenRequest { Content = TestData.SOME_BYTES, ExpiresAt = TOMORROW });
-            response.Should().BeASuccess();
+        var response = await client.Tokens.CreateToken(
+            new CreateTokenRequest { Content = TestData.SOME_BYTES, ExpiresAt = TOMORROW, ForIdentity = forClient, Password = password });
 
-            _tokensContext.CreateTokenResponses[tokenName] = response.Result!;
-        }
+        _tokensContext.CreateTokenResponses[relationshipTemplateName] = response.Result!;
     }
 
-    [Given($"Token {RegexFor.SINGLE_THING} belonging to {RegexFor.SINGLE_THING} where ForIdentity is the address of {RegexFor.SINGLE_THING}")]
-    public async Task GivenTokenTBelongingToIWhereForIdentityIsTheAddressOfI(string tokenName, string identityName, string forIdentityName)
+    [Given(@"the following Tokens")]
+    public async Task GivenTheFollowingTokens(Table table)
     {
-        var client = _clientPool.FirstForIdentityName(identityName);
-        var forClient = _clientPool.FirstForIdentityName(forIdentityName);
+        var tokenPropertiesSet = table.CreateSet<TokenProperties>();
 
-        var response = await client.Tokens.CreateToken(new CreateTokenRequest { Content = TestData.SOME_BYTES, ExpiresAt = TOMORROW, ForIdentity = forClient.IdentityData!.Address });
-        response.Should().BeASuccess();
+        foreach (var tokenProperties in tokenPropertiesSet)
+        {
+            var client = _clientPool.FirstForIdentityName(tokenProperties.TokenOwner);
+            var forClient = tokenProperties.ForIdentity != "-" ? _clientPool.FirstForIdentityName(tokenProperties.ForIdentity).IdentityData!.Address : null;
+            var password = tokenProperties.Password.Trim() != "-" ? Convert.FromBase64String(tokenProperties.Password.Trim()) : null;
+
+            var response = await client.Tokens
+                .CreateToken(new CreateTokenRequest { Content = TestData.SOME_BYTES, ExpiresAt = TOMORROW, ForIdentity = forClient, Password = password });
 
-        _tokensContext.CreateTokenResponses[tokenName] = response.Result!;
+            _tokensContext.CreateTokenResponses[tokenProperties.TokenName] = response.Result!;
+        }
     }
 
     #endregion
 
     #region When
 
-    [When($"{RegexFor.SINGLE_THING} sends a GET request to the /Tokens endpoint with the ids of {RegexFor.LIST_OF_THINGS}")]
-    public async Task WhenIdentitySendsAGetRequestToTheTokensEndpointWithAListOfIdsOfOwnTokens(string identityName, string tokenNames)
-    {
-        var client = _clientPool.FirstForIdentityName(identityName);
-
-        var tokenIds = Utils.SplitNames(tokenNames).Select(tokenName => _tokensContext.CreateTokenResponses[tokenName].Id).ToArray();
-
-        _responseContext.WhenResponse = _listTokensResponse = await client.Tokens.ListTokens(tokenIds);
-        _responseContext.WhenResponse.Should().NotBeNull();
-    }
-
     [When($"{RegexFor.SINGLE_THING} sends a POST request to the /Tokens endpoint")]
     public async Task WhenIdentitySendsAPostRequestToTheTokensEndpoint(string identityName)
     {
@@ -85,50 +81,92 @@ public async Task WhenAnAnonymousUserSendsAPOSTRequestIsSentToTheTokensEndpoint(
         _responseContext.WhenResponse = await _clientPool.Anonymous.Tokens.CreateTokenUnauthenticated(new CreateTokenRequest { Content = TestData.SOME_BYTES, ExpiresAt = TOMORROW });
     }
 
-    [When($"{RegexFor.SINGLE_THING} sends a GET request to the /Tokens/{{id}} endpoint with {RegexFor.SINGLE_THING}.Id")]
-    public async Task WhenIdentitySendsAGetRequestToTheTokensIdEndpointWithTokenId(string identityName, string tokenName)
+    [When($@"{RegexFor.SINGLE_THING} sends a POST request to the /Tokens endpoint with the password ""([^""]*)""")]
+    public async Task WhenISendsAPOSTRequestToTheTokensEndpointWithThePassword(string identityName, string passwordString)
     {
         var client = _clientPool.FirstForIdentityName(identityName);
-        var tokenId = _tokensContext.CreateTokenResponses[tokenName].Id;
+        var password = Encoding.UTF8.GetBytes(passwordString);
+
+        _responseContext.WhenResponse = await client.Tokens.CreateToken(
+            new CreateTokenRequest { Content = TestData.SOME_BYTES, ExpiresAt = TOMORROW, Password = password });
+    }
+
+    [When($@"{RegexFor.SINGLE_THING} sends a POST request to the /Tokens endpoint with password ""([^""]*)"" and forIdentity {RegexFor.OPTIONAL_SINGLE_THING}")]
+    public async Task WhenISendsAPOSTRequestToTheTokensEndpointWithPasswordAndForIdentityI(string identityName, string passwordString, string forIdentityName)
+    {
+        var client = _clientPool.FirstForIdentityName(identityName);
+        var forClient = _clientPool.FirstForIdentityName(forIdentityName);
+        var password = Encoding.UTF8.GetBytes(passwordString);
 
-        _responseContext.WhenResponse = await client.Tokens.GetToken(tokenId);
+        _responseContext.WhenResponse = await client.Tokens.CreateToken(
+            new CreateTokenRequest { Content = TestData.SOME_BYTES, ExpiresAt = TOMORROW, ForIdentity = forClient.IdentityData!.Address, Password = password });
     }
 
-    [When($"an anonymous user sends a GET request to the /Tokens/{{id}} endpoint with {RegexFor.SINGLE_THING}.Id")]
-    public async Task WhenAnAnonymousUserSendsAGetRequestToTheTokensIdEndpointWithTokenId(string tokenName)
+    [When($@"{RegexFor.OPTIONAL_SINGLE_THING} sends a GET request to the /Tokens/{RegexFor.SINGLE_THING}.Id endpoint with password ""([^""]*)""")]
+    public async Task WhenIdentitySendsAGetRequestToTheTokensIdEndpointWithPassword(string identityName, string tokenName, string password)
     {
+        var isAuthenticated = identityName != "-";
+        var isPasswordProvided = password != "-";
+
+        var client = isAuthenticated ? _clientPool.FirstForIdentityName(identityName) : _clientPool.Anonymous;
         var tokenId = _tokensContext.CreateTokenResponses[tokenName].Id;
-        _responseContext.WhenResponse = await _clientPool.Anonymous.Tokens.GetTokenUnauthenticated(tokenId);
+
+        if (isAuthenticated)
+            _responseContext.WhenResponse = isPasswordProvided
+                ? await client.Tokens.GetToken(tokenId, Convert.FromBase64String(password.Trim()))
+                : await client.Tokens.GetToken(tokenId);
+        else
+            _responseContext.WhenResponse = isPasswordProvided
+                ? await client.Tokens.GetTokenUnauthenticated(tokenId, Convert.FromBase64String(password.Trim()))
+                : await client.Tokens.GetTokenUnauthenticated(tokenId);
     }
 
-    [When($"{RegexFor.SINGLE_THING} sends a GET request to the /Tokens/{{id}} endpoint with \"([^\"]*)\"")]
-    public async Task WhenIdentitySendsAGetRequestToTheTokensIdEndpointWithNonExistingTokenId(string identityName, string nonExistingTokenId)
+    [When($@"{RegexFor.SINGLE_THING} sends a GET request to the /Tokens endpoint with the following payloads")]
+    public async Task WhenISendsAGETRequestToTheTokensEndpointWithTheFollowingPayloads(string identityName, Table table)
     {
         var client = _clientPool.FirstForIdentityName(identityName);
-        _responseContext.WhenResponse = await client.Tokens.GetToken(nonExistingTokenId);
+
+        var getRequestPayloadSet = table.CreateSet<GetRequestPayload>();
+
+        var queryItems = getRequestPayloadSet.Select(payload =>
+        {
+            var tokenId = _tokensContext.CreateTokenResponses[payload.TokenName].Id;
+            var password = payload.PasswordOnGet == "-" ? null : Convert.FromBase64String(payload.PasswordOnGet.Trim());
+
+            return new ListTokensQueryItem() { Id = tokenId, Password = password };
+        }).ToList();
+
+        _responseContext.WhenResponse = _listTokensResponse = await client.Tokens.ListTokens(queryItems);
     }
 
     #endregion
 
     #region Then
 
-    [Then($"the response contains the Tokens? {RegexFor.LIST_OF_THINGS}")]
+    [Then($@"the response contains Token\(s\) {RegexFor.LIST_OF_THINGS}")]
     public void ThenTheResponseContainsTokens(string tokenNames)
     {
-        foreach (var tokenId in Utils.SplitNames(tokenNames).Select(tokenName => _tokensContext.CreateTokenResponses[tokenName].Id))
-        {
-            _listTokensResponse!.Result.Should().Contain(token => token.Id == tokenId);
-        }
+        var tokens = tokenNames.Split(',').Select(item => _tokensContext.CreateTokenResponses[item.Trim()]).ToList();
+        _listTokensResponse!.Result!.Should().BeEquivalentTo(tokens, options => options.WithStrictOrdering());
     }
 
-    [Then($"the response does not contain the Token {RegexFor.SINGLE_THING}")]
-    public void ThenTheResponseDoesNotContainTheTokenT(string tokenName)
-    {
-        var tokenId = _tokensContext.CreateTokenResponses[tokenName].Id;
-
-        _listTokensResponse!.Result.Should().NotContain(token => token.Id == tokenId);
-    }
+    #endregion
+}
 
+// ReSharper disable once ClassNeverInstantiated.Local
+[SuppressMessage("ReSharper", "UnusedAutoPropertyAccessor.Local")]
+file class TokenProperties
+{
+    public required string TokenName { get; set; }
+    public required string TokenOwner { get; set; }
+    public required string ForIdentity { get; set; }
+    public required string Password { get; set; }
+}
 
-    #endregion
+// ReSharper disable once ClassNeverInstantiated.Local
+[SuppressMessage("ReSharper", "UnusedAutoPropertyAccessor.Local")]
+file class GetRequestPayload
+{
+    public required string TokenName { get; set; }
+    public required string PasswordOnGet { get; set; }
 }
diff --git a/BuildingBlocks/src/BuildingBlocks.Application/Extensions/ExpressionExtensions.cs b/BuildingBlocks/src/BuildingBlocks.Application/Extensions/ExpressionExtensions.cs
index 25c8e793d5..325db0b6e4 100644
--- a/BuildingBlocks/src/BuildingBlocks.Application/Extensions/ExpressionExtensions.cs
+++ b/BuildingBlocks/src/BuildingBlocks.Application/Extensions/ExpressionExtensions.cs
@@ -14,7 +14,8 @@ public static Expression<Func<T, bool>> Or<T>(this Expression<Func<T, bool>> exp
         var rightVisitor = new ReplaceExpressionVisitor(expression2.Parameters[0], parameter);
         var right = rightVisitor.Visit(expression2.Body);
 
-        return Expression.Lambda<Func<T, bool>>(Expression.OrElse(left, right), parameter);
+        // CAUTION: the null suppression operator is used here without being sure if it's safe; so if there's a NullReferenceException, this is the first place to check
+        return Expression.Lambda<Func<T, bool>>(Expression.OrElse(left!, right!), parameter);
     }
 
     public static Expression<Func<T, bool>> And<T>(this Expression<Func<T, bool>> expression1, Expression<Func<T, bool>> expression2)
@@ -27,7 +28,8 @@ public static Expression<Func<T, bool>> And<T>(this Expression<Func<T, bool>> ex
         var rightVisitor = new ReplaceExpressionVisitor(expression2.Parameters[0], parameter);
         var right = rightVisitor.Visit(expression2.Body);
 
-        return Expression.Lambda<Func<T, bool>>(Expression.AndAlso(left, right), parameter);
+        // CAUTION: the null suppression operator is used here without being sure if it's safe; so if there's a NullReferenceException, this is the first place to check
+        return Expression.Lambda<Func<T, bool>>(Expression.AndAlso(left!, right!), parameter);
     }
 
     private class ReplaceExpressionVisitor : ExpressionVisitor
@@ -41,10 +43,8 @@ public ReplaceExpressionVisitor(Expression oldValue, Expression newValue)
             _newValue = newValue;
         }
 
-        public override Expression Visit(Expression? node)
+        public override Expression? Visit(Expression? node)
         {
-            ArgumentNullException.ThrowIfNull(node);
-
             return node == _oldValue ? _newValue : base.Visit(node);
         }
     }
diff --git a/Modules/Relationships/src/Relationships.Application/Infrastructure/Persistence/Repository/IRelationshipTemplatesRepository.cs b/Modules/Relationships/src/Relationships.Application/Infrastructure/Persistence/Repository/IRelationshipTemplatesRepository.cs
index 2628ab72bd..194e507eed 100644
--- a/Modules/Relationships/src/Relationships.Application/Infrastructure/Persistence/Repository/IRelationshipTemplatesRepository.cs
+++ b/Modules/Relationships/src/Relationships.Application/Infrastructure/Persistence/Repository/IRelationshipTemplatesRepository.cs
@@ -9,7 +9,7 @@ namespace Backbone.Modules.Relationships.Application.Infrastructure.Persistence.
 
 public interface IRelationshipTemplatesRepository
 {
-    Task<DbPaginationResult<RelationshipTemplate>> FindTemplatesWithIds(IEnumerable<RelationshipTemplateQueryItem> queryItems, IdentityAddress activeIdentity, PaginationFilter paginationFilter,
+    Task<DbPaginationResult<RelationshipTemplate>> FindTemplates(IEnumerable<ListRelationshipTemplatesQueryItem> queryItems, IdentityAddress activeIdentity, PaginationFilter paginationFilter,
         CancellationToken cancellationToken, bool track = false);
 
     Task<RelationshipTemplate?> Find(RelationshipTemplateId id, IdentityAddress identityAddress, CancellationToken cancellationToken, bool track = false);
diff --git a/Modules/Relationships/src/Relationships.Application/RelationshipTemplates/Commands/CreateRelationshipTemplate/Validator.Tests.cs b/Modules/Relationships/src/Relationships.Application/RelationshipTemplates/Commands/CreateRelationshipTemplate/Validator.Tests.cs
index e95c925910..274cbdcebd 100644
--- a/Modules/Relationships/src/Relationships.Application/RelationshipTemplates/Commands/CreateRelationshipTemplate/Validator.Tests.cs
+++ b/Modules/Relationships/src/Relationships.Application/RelationshipTemplates/Commands/CreateRelationshipTemplate/Validator.Tests.cs
@@ -119,6 +119,6 @@ public void Fails_when_Password_is_too_long()
 
         // Assert
         validationResult.ShouldHaveValidationErrorForItem(nameof(CreateRelationshipTemplateCommand.Password), "error.platform.validation.invalidPropertyValue",
-            "'Password' must be between 0 and 200 bytes long. You entered 250 bytes.");
+            "'Password' must be between 1 and 200 bytes long. You entered 250 bytes.");
     }
 }
diff --git a/Modules/Relationships/src/Relationships.Application/RelationshipTemplates/Commands/CreateRelationshipTemplate/Validator.cs b/Modules/Relationships/src/Relationships.Application/RelationshipTemplates/Commands/CreateRelationshipTemplate/Validator.cs
index c8b3bb896c..e5faf6e9b9 100644
--- a/Modules/Relationships/src/Relationships.Application/RelationshipTemplates/Commands/CreateRelationshipTemplate/Validator.cs
+++ b/Modules/Relationships/src/Relationships.Application/RelationshipTemplates/Commands/CreateRelationshipTemplate/Validator.cs
@@ -2,6 +2,7 @@
 using Backbone.BuildingBlocks.Application.Extensions;
 using Backbone.BuildingBlocks.Application.FluentValidation;
 using Backbone.DevelopmentKit.Identity.ValueObjects;
+using Backbone.Modules.Relationships.Domain.Aggregates.RelationshipTemplates;
 using Backbone.Tooling;
 using Backbone.Tooling.Extensions;
 using FluentValidation;
@@ -25,6 +26,6 @@ public Validator()
             .ValidId<CreateRelationshipTemplateCommand, IdentityAddress>()
             .When(c => c.ForIdentity != null);
 
-        RuleFor(c => c.Password).NumberOfBytes(0, 200);
+        RuleFor(c => c.Password).NumberOfBytes(1, RelationshipTemplate.MAX_PASSWORD_LENGTH).When(t => t.Password != null);
     }
 }
diff --git a/Modules/Relationships/src/Relationships.Application/RelationshipTemplates/Queries/GetRelationshipTemplate/Validator.cs b/Modules/Relationships/src/Relationships.Application/RelationshipTemplates/Queries/GetRelationshipTemplate/Validator.cs
index f4a572c5b0..d64dc56198 100644
--- a/Modules/Relationships/src/Relationships.Application/RelationshipTemplates/Queries/GetRelationshipTemplate/Validator.cs
+++ b/Modules/Relationships/src/Relationships.Application/RelationshipTemplates/Queries/GetRelationshipTemplate/Validator.cs
@@ -11,6 +11,6 @@ public Validator()
     {
         RuleFor(x => x.Id).ValidId<GetRelationshipTemplateQuery, RelationshipTemplateId>();
 
-        RuleFor(x => x.Password).NumberOfBytes(1, RelationshipTemplate.MAX_PASSWORD_LENGTH).When(x => x.Password != null);
+        RuleFor(x => x.Password).NumberOfBytes(1, RelationshipTemplate.MAX_PASSWORD_LENGTH).When(t => t.Password != null);
     }
 }
diff --git a/Modules/Relationships/src/Relationships.Application/RelationshipTemplates/Queries/ListRelationshipTemplates/Handler.cs b/Modules/Relationships/src/Relationships.Application/RelationshipTemplates/Queries/ListRelationshipTemplates/Handler.cs
index dfe1db7947..6f710fafc0 100644
--- a/Modules/Relationships/src/Relationships.Application/RelationshipTemplates/Queries/ListRelationshipTemplates/Handler.cs
+++ b/Modules/Relationships/src/Relationships.Application/RelationshipTemplates/Queries/ListRelationshipTemplates/Handler.cs
@@ -17,7 +17,7 @@ public Handler(IUserContext userContext, IRelationshipTemplatesRepository relati
 
     public async Task<ListRelationshipTemplatesResponse> Handle(ListRelationshipTemplatesQuery request, CancellationToken cancellationToken)
     {
-        var dbPaginationResult = await _relationshipTemplatesRepository.FindTemplatesWithIds(request.QueryItems, _userContext.GetAddress(), request.PaginationFilter,
+        var dbPaginationResult = await _relationshipTemplatesRepository.FindTemplates(request.QueryItems, _userContext.GetAddress(), request.PaginationFilter,
             cancellationToken, track: false);
 
         return new ListRelationshipTemplatesResponse(dbPaginationResult, request.PaginationFilter);
diff --git a/Modules/Relationships/src/Relationships.Application/RelationshipTemplates/Queries/ListRelationshipTemplates/ListRelationshipTemplatesQuery.cs b/Modules/Relationships/src/Relationships.Application/RelationshipTemplates/Queries/ListRelationshipTemplates/ListRelationshipTemplatesQuery.cs
index da2db692e4..2d684c3d36 100644
--- a/Modules/Relationships/src/Relationships.Application/RelationshipTemplates/Queries/ListRelationshipTemplates/ListRelationshipTemplatesQuery.cs
+++ b/Modules/Relationships/src/Relationships.Application/RelationshipTemplates/Queries/ListRelationshipTemplates/ListRelationshipTemplatesQuery.cs
@@ -5,17 +5,17 @@ namespace Backbone.Modules.Relationships.Application.RelationshipTemplates.Queri
 
 public class ListRelationshipTemplatesQuery : IRequest<ListRelationshipTemplatesResponse>
 {
-    public ListRelationshipTemplatesQuery(PaginationFilter paginationFilter, IEnumerable<RelationshipTemplateQueryItem>? queries)
+    public ListRelationshipTemplatesQuery(PaginationFilter paginationFilter, IEnumerable<ListRelationshipTemplatesQueryItem>? queries)
     {
         PaginationFilter = paginationFilter;
         QueryItems = queries == null ? [] : queries.ToList();
     }
 
     public PaginationFilter PaginationFilter { get; set; }
-    public List<RelationshipTemplateQueryItem> QueryItems { get; set; }
+    public List<ListRelationshipTemplatesQueryItem> QueryItems { get; set; }
 }
 
-public class RelationshipTemplateQueryItem
+public class ListRelationshipTemplatesQueryItem
 {
     public required string Id { get; set; }
     public byte[]? Password { get; set; }
diff --git a/Modules/Relationships/src/Relationships.Application/RelationshipTemplates/Queries/ListRelationshipTemplates/Validator.Tests.cs b/Modules/Relationships/src/Relationships.Application/RelationshipTemplates/Queries/ListRelationshipTemplates/Validator.Tests.cs
index c20521b2fa..bf177ce565 100644
--- a/Modules/Relationships/src/Relationships.Application/RelationshipTemplates/Queries/ListRelationshipTemplates/Validator.Tests.cs
+++ b/Modules/Relationships/src/Relationships.Application/RelationshipTemplates/Queries/ListRelationshipTemplates/Validator.Tests.cs
@@ -3,7 +3,6 @@
 using Backbone.UnitTestTools.BaseClasses;
 using Backbone.UnitTestTools.FluentValidation;
 using FluentValidation.TestHelper;
-using Microsoft.EntityFrameworkCore.Metadata.Internal;
 using Xunit;
 
 namespace Backbone.Modules.Relationships.Application.RelationshipTemplates.Queries.ListRelationshipTemplates;
@@ -17,7 +16,8 @@ public void Happy_path_with_password()
         var validator = new Validator();
 
         // Act
-        var validationResult = validator.TestValidate(new ListRelationshipTemplatesQuery(new PaginationFilter(), new[] { new RelationshipTemplateQueryItem() { Id = RelationshipTemplateId.New(), Password = [1, 2, 3] } }));
+        var validationResult = validator.TestValidate(new ListRelationshipTemplatesQuery(new PaginationFilter(),
+            new[] { new ListRelationshipTemplatesQueryItem() { Id = RelationshipTemplateId.New(), Password = [1, 2, 3] } }));
 
         // Assert
         validationResult.ShouldNotHaveAnyValidationErrors();
@@ -30,7 +30,8 @@ public void Happy_path_without_password()
         var validator = new Validator();
 
         // Act
-        var validationResult = validator.TestValidate(new ListRelationshipTemplatesQuery(new PaginationFilter(), new[] { new RelationshipTemplateQueryItem() { Id = RelationshipTemplateId.New() } }));
+        var validationResult =
+            validator.TestValidate(new ListRelationshipTemplatesQuery(new PaginationFilter(), new[] { new ListRelationshipTemplatesQueryItem() { Id = RelationshipTemplateId.New() } }));
 
         // Assert
         validationResult.ShouldNotHaveAnyValidationErrors();
diff --git a/Modules/Relationships/src/Relationships.Application/RelationshipTemplates/Queries/ListRelationshipTemplates/Validator.cs b/Modules/Relationships/src/Relationships.Application/RelationshipTemplates/Queries/ListRelationshipTemplates/Validator.cs
index 3ac120caed..1ec7c21e2c 100644
--- a/Modules/Relationships/src/Relationships.Application/RelationshipTemplates/Queries/ListRelationshipTemplates/Validator.cs
+++ b/Modules/Relationships/src/Relationships.Application/RelationshipTemplates/Queries/ListRelationshipTemplates/Validator.cs
@@ -20,7 +20,7 @@ public Validator()
             {
                 queryItems
                     .RuleFor(query => query.Id)
-                    .ValidId<RelationshipTemplateQueryItem, RelationshipTemplateId>();
+                    .ValidId<ListRelationshipTemplatesQueryItem, RelationshipTemplateId>();
 
                 queryItems
                     .RuleFor(query => query.Password)
diff --git a/Modules/Relationships/src/Relationships.ConsumerApi/Controllers/RelationshipTemplatesController.cs b/Modules/Relationships/src/Relationships.ConsumerApi/Controllers/RelationshipTemplatesController.cs
index 1b1d304fbd..2ff771ab3a 100644
--- a/Modules/Relationships/src/Relationships.ConsumerApi/Controllers/RelationshipTemplatesController.cs
+++ b/Modules/Relationships/src/Relationships.ConsumerApi/Controllers/RelationshipTemplatesController.cs
@@ -45,13 +45,13 @@ public async Task<IActionResult> GetById(string id, [FromQuery] byte[]? password
         StatusCodes.Status200OK)]
     public async Task<IActionResult> GetAll([FromQuery] PaginationFilter paginationFilter, [FromQuery] string? templates, [FromQuery] IEnumerable<string> ids, CancellationToken cancellationToken)
     {
-        List<RelationshipTemplateQueryItem>? relationshipTemplateQueryItems;
+        List<ListRelationshipTemplatesQueryItem>? relationshipTemplateQueryItems;
 
         if (templates != null)
         {
             try
             {
-                relationshipTemplateQueryItems = JsonSerializer.Deserialize<List<RelationshipTemplateQueryItem>>(templates, _jsonSerializerOptions);
+                relationshipTemplateQueryItems = JsonSerializer.Deserialize<List<ListRelationshipTemplatesQueryItem>>(templates, _jsonSerializerOptions);
             }
             catch (JsonException ex)
             {
@@ -60,7 +60,7 @@ public async Task<IActionResult> GetAll([FromQuery] PaginationFilter paginationF
         }
         else
         {
-            relationshipTemplateQueryItems = ids.Select(id => new RelationshipTemplateQueryItem { Id = id }).ToList();
+            relationshipTemplateQueryItems = ids.Select(id => new ListRelationshipTemplatesQueryItem { Id = id }).ToList();
         }
 
         var request = new ListRelationshipTemplatesQuery(paginationFilter, relationshipTemplateQueryItems);
diff --git a/Modules/Relationships/src/Relationships.Domain/Aggregates/RelationshipTemplates/RelationshipTemplate.CanBeCollectedByTests.cs b/Modules/Relationships/src/Relationships.Domain/Aggregates/RelationshipTemplates/RelationshipTemplate.CanBeCollectedByExpressionTests.cs
similarity index 99%
rename from Modules/Relationships/src/Relationships.Domain/Aggregates/RelationshipTemplates/RelationshipTemplate.CanBeCollectedByTests.cs
rename to Modules/Relationships/src/Relationships.Domain/Aggregates/RelationshipTemplates/RelationshipTemplate.CanBeCollectedByExpressionTests.cs
index 2860b78182..248c2dbc6c 100644
--- a/Modules/Relationships/src/Relationships.Domain/Aggregates/RelationshipTemplates/RelationshipTemplate.CanBeCollectedByTests.cs
+++ b/Modules/Relationships/src/Relationships.Domain/Aggregates/RelationshipTemplates/RelationshipTemplate.CanBeCollectedByExpressionTests.cs
@@ -5,6 +5,7 @@
 using Xunit;
 
 namespace Backbone.Modules.Relationships.Domain.Aggregates.RelationshipTemplates;
+
 public class RelationshipTemplateCanBeCollectedBy : AbstractTestsBase
 {
     private const string I1 = "did:e:prod.enmeshed.eu:dids:70cf4f3e6edf6bca33d35f";
diff --git a/Modules/Relationships/src/Relationships.Domain/Aggregates/RelationshipTemplates/RelationshipTemplate.CanBeCollectedWithPasswordTests.cs b/Modules/Relationships/src/Relationships.Domain/Aggregates/RelationshipTemplates/RelationshipTemplate.CanBeCollectedUsingPasswordTests.cs
similarity index 96%
rename from Modules/Relationships/src/Relationships.Domain/Aggregates/RelationshipTemplates/RelationshipTemplate.CanBeCollectedWithPasswordTests.cs
rename to Modules/Relationships/src/Relationships.Domain/Aggregates/RelationshipTemplates/RelationshipTemplate.CanBeCollectedUsingPasswordTests.cs
index e183151289..08eaea4893 100644
--- a/Modules/Relationships/src/Relationships.Domain/Aggregates/RelationshipTemplates/RelationshipTemplate.CanBeCollectedWithPasswordTests.cs
+++ b/Modules/Relationships/src/Relationships.Domain/Aggregates/RelationshipTemplates/RelationshipTemplate.CanBeCollectedUsingPasswordTests.cs
@@ -6,7 +6,7 @@
 
 namespace Backbone.Modules.Relationships.Domain.Aggregates.RelationshipTemplates;
 
-public class RelationshipTemplateCanBeCollectedWithPasswordTests : AbstractTestsBase
+public class RelationshipTemplateCanBeCollectedUsingPasswordExpressionTests : AbstractTestsBase
 {
     [Fact]
     public void Can_collect_without_a_password_when_no_password_is_defined()
diff --git a/Modules/Relationships/src/Relationships.Domain/Aggregates/RelationshipTemplates/RelationshipTemplate.cs b/Modules/Relationships/src/Relationships.Domain/Aggregates/RelationshipTemplates/RelationshipTemplate.cs
index 7c2e3d3306..3e9811b80c 100644
--- a/Modules/Relationships/src/Relationships.Domain/Aggregates/RelationshipTemplates/RelationshipTemplate.cs
+++ b/Modules/Relationships/src/Relationships.Domain/Aggregates/RelationshipTemplates/RelationshipTemplate.cs
@@ -95,12 +95,20 @@ public static Expression<Func<RelationshipTemplate, bool>> WasCreatedBy(Identity
 
     public static Expression<Func<RelationshipTemplate, bool>> CanBeCollectedBy(IdentityAddress address)
     {
-        return relationshipTemplate => relationshipTemplate.ForIdentity == null || relationshipTemplate.ForIdentity == address || relationshipTemplate.CreatedBy == address;
+        return relationshipTemplate =>
+            relationshipTemplate.ForIdentity == null ||
+            relationshipTemplate.ForIdentity == address ||
+            relationshipTemplate.CreatedBy == address;
     }
 
-    public static Expression<Func<RelationshipTemplate, bool>> CanBeCollectedWithPassword(IdentityAddress address, byte[]? password)
+    public static Expression<Func<RelationshipTemplate, bool>> CanBeCollectedWithPassword(IdentityAddress activeIdentity, byte[]? password)
     {
-        return relationshipTemplate => relationshipTemplate.Password == null || relationshipTemplate.Password == password || relationshipTemplate.CreatedBy == address;
+        return relationshipTemplate =>
+            relationshipTemplate.Password == null ||
+            relationshipTemplate.Password == password ||
+            relationshipTemplate.CreatedBy == activeIdentity || // The owner shouldn't need a password to get the template
+            relationshipTemplate.Allocations.Any(a =>
+                a.AllocatedBy == activeIdentity); // if the template has already been allocated by the active identity, it doesn't need to pass the password again;
     }
 
     #endregion
diff --git a/Modules/Relationships/src/Relationships.Infrastructure/Persistence/Database/Repository/RelationshipTemplatesRepository.cs b/Modules/Relationships/src/Relationships.Infrastructure/Persistence/Database/Repository/RelationshipTemplatesRepository.cs
index 3b730a76f7..e62a94e513 100644
--- a/Modules/Relationships/src/Relationships.Infrastructure/Persistence/Database/Repository/RelationshipTemplatesRepository.cs
+++ b/Modules/Relationships/src/Relationships.Infrastructure/Persistence/Database/Repository/RelationshipTemplatesRepository.cs
@@ -48,7 +48,7 @@ public async Task Delete(Expression<Func<RelationshipTemplate, bool>> filter, Ca
         return template;
     }
 
-    public async Task<DbPaginationResult<RelationshipTemplate>> FindTemplatesWithIds(IEnumerable<RelationshipTemplateQueryItem> queryItems, IdentityAddress activeIdentity,
+    public async Task<DbPaginationResult<RelationshipTemplate>> FindTemplates(IEnumerable<ListRelationshipTemplatesQueryItem> queryItems, IdentityAddress activeIdentity,
         PaginationFilter paginationFilter,
         CancellationToken cancellationToken, bool track = false)
     {
diff --git a/Modules/Tokens/src/Tokens.Application/Infrastructure/Persistence/Repository/ITokensRepository.cs b/Modules/Tokens/src/Tokens.Application/Infrastructure/Persistence/Repository/ITokensRepository.cs
index 1e5c397865..ad9fdbead2 100644
--- a/Modules/Tokens/src/Tokens.Application/Infrastructure/Persistence/Repository/ITokensRepository.cs
+++ b/Modules/Tokens/src/Tokens.Application/Infrastructure/Persistence/Repository/ITokensRepository.cs
@@ -2,6 +2,7 @@
 using Backbone.BuildingBlocks.Application.Abstractions.Infrastructure.Persistence.Database;
 using Backbone.BuildingBlocks.Application.Pagination;
 using Backbone.DevelopmentKit.Identity.ValueObjects;
+using Backbone.Modules.Tokens.Application.Tokens.Queries.ListTokens;
 using Backbone.Modules.Tokens.Domain.Entities;
 
 namespace Backbone.Modules.Tokens.Application.Infrastructure.Persistence.Repository;
@@ -9,7 +10,10 @@ namespace Backbone.Modules.Tokens.Application.Infrastructure.Persistence.Reposit
 public interface ITokensRepository
 {
     Task Add(Token token);
-    Task<Token?> Find(TokenId tokenId, IdentityAddress? activeIdentity);
-    Task<DbPaginationResult<Token>> FindAllWithIds(IdentityAddress activeIdentity, IEnumerable<TokenId> ids, PaginationFilter paginationFilter, CancellationToken cancellationToken);
+
+    Task<DbPaginationResult<Token>> FindTokens(IEnumerable<ListTokensQueryItem> queryItems, IdentityAddress activeIdentity, PaginationFilter paginationFilter,
+        CancellationToken cancellationToken, bool track = false);
+
+    Task<Token?> Find(TokenId tokenId, IdentityAddress? activeIdentity, CancellationToken cancellationToken, bool track = false);
     Task DeleteTokens(Expression<Func<Token, bool>> filter, CancellationToken cancellationToken);
 }
diff --git a/Modules/Tokens/src/Tokens.Application/Tokens/Commands/CreateToken/CreateTokenCommand.cs b/Modules/Tokens/src/Tokens.Application/Tokens/Commands/CreateToken/CreateTokenCommand.cs
index a63c3c487e..ae57c8757e 100644
--- a/Modules/Tokens/src/Tokens.Application/Tokens/Commands/CreateToken/CreateTokenCommand.cs
+++ b/Modules/Tokens/src/Tokens.Application/Tokens/Commands/CreateToken/CreateTokenCommand.cs
@@ -9,4 +9,5 @@ public class CreateTokenCommand : IRequest<CreateTokenResponse>
     public required byte[] Content { get; set; }
     public required DateTime ExpiresAt { get; set; }
     public string? ForIdentity { get; set; }
+    public byte[]? Password { get; set; }
 }
diff --git a/Modules/Tokens/src/Tokens.Application/Tokens/Commands/CreateToken/Handler.cs b/Modules/Tokens/src/Tokens.Application/Tokens/Commands/CreateToken/Handler.cs
index cb0d3eb4b5..7f4da228da 100644
--- a/Modules/Tokens/src/Tokens.Application/Tokens/Commands/CreateToken/Handler.cs
+++ b/Modules/Tokens/src/Tokens.Application/Tokens/Commands/CreateToken/Handler.cs
@@ -20,7 +20,7 @@ public Handler(IUserContext userContext, ITokensRepository tokensRepository)
     public async Task<CreateTokenResponse> Handle(CreateTokenCommand request, CancellationToken cancellationToken)
     {
         var forIdentity = request.ForIdentity == null ? null : IdentityAddress.Parse(request.ForIdentity);
-        var newToken = new Token(_userContext.GetAddress(), _userContext.GetDeviceId(), request.Content, request.ExpiresAt, forIdentity);
+        var newToken = new Token(_userContext.GetAddress(), _userContext.GetDeviceId(), request.Content, request.ExpiresAt, forIdentity, request.Password);
 
         await _tokensRepository.Add(newToken);
 
diff --git a/Modules/Tokens/src/Tokens.Application/Tokens/Commands/CreateToken/Validator.cs b/Modules/Tokens/src/Tokens.Application/Tokens/Commands/CreateToken/Validator.cs
index d1b4e17095..79c5ec96bb 100644
--- a/Modules/Tokens/src/Tokens.Application/Tokens/Commands/CreateToken/Validator.cs
+++ b/Modules/Tokens/src/Tokens.Application/Tokens/Commands/CreateToken/Validator.cs
@@ -2,6 +2,7 @@
 using Backbone.BuildingBlocks.Application.Extensions;
 using Backbone.BuildingBlocks.Application.FluentValidation;
 using Backbone.DevelopmentKit.Identity.ValueObjects;
+using Backbone.Modules.Tokens.Domain.Entities;
 using Backbone.Tooling;
 using Backbone.Tooling.Extensions;
 using FluentValidation;
@@ -24,5 +25,7 @@ public Validator()
         RuleFor(t => t.ForIdentity)
             .ValidId<CreateTokenCommand, IdentityAddress>()
             .When(t => t.ForIdentity != null);
+
+        RuleFor(c => c.Password).NumberOfBytes(1, Token.MAX_PASSWORD_LENGTH).When(c => c.Password != null);
     }
 }
diff --git a/Modules/Tokens/src/Tokens.Application/Tokens/Queries/GetToken/GetTokenQuery.cs b/Modules/Tokens/src/Tokens.Application/Tokens/Queries/GetToken/GetTokenQuery.cs
index fb4ed2cb77..d907b88075 100644
--- a/Modules/Tokens/src/Tokens.Application/Tokens/Queries/GetToken/GetTokenQuery.cs
+++ b/Modules/Tokens/src/Tokens.Application/Tokens/Queries/GetToken/GetTokenQuery.cs
@@ -6,4 +6,5 @@ namespace Backbone.Modules.Tokens.Application.Tokens.Queries.GetToken;
 public class GetTokenQuery : IRequest<TokenDTO>
 {
     public required string Id { get; set; }
+    public byte[]? Password { get; set; }
 }
diff --git a/Modules/Tokens/src/Tokens.Application/Tokens/Queries/GetToken/Handler.cs b/Modules/Tokens/src/Tokens.Application/Tokens/Queries/GetToken/Handler.cs
index 41a9966567..05f42a9547 100644
--- a/Modules/Tokens/src/Tokens.Application/Tokens/Queries/GetToken/Handler.cs
+++ b/Modules/Tokens/src/Tokens.Application/Tokens/Queries/GetToken/Handler.cs
@@ -20,7 +20,18 @@ public Handler(ITokensRepository tokensRepository, IUserContext userContext)
 
     public async Task<TokenDTO> Handle(GetTokenQuery request, CancellationToken cancellationToken)
     {
-        var token = await _tokensRepository.Find(TokenId.Parse(request.Id), _userContext.GetAddressOrNull()) ?? throw new NotFoundException();
+        var token = await GetToken(request.Id, request.Password, cancellationToken);
         return new TokenDTO(token);
     }
+
+    private async Task<Token> GetToken(string tokenId, byte[]? password, CancellationToken cancellationToken)
+    {
+        var token = await _tokensRepository.Find(TokenId.Parse(tokenId), _userContext.GetAddressOrNull(), cancellationToken, true) ??
+                    throw new NotFoundException(nameof(Token));
+
+        if (!token.CanBeCollectedUsingPassword(_userContext.GetAddressOrNull(), password))
+            throw new NotFoundException(nameof(Token));
+
+        return token;
+    }
 }
diff --git a/Modules/Tokens/src/Tokens.Application/Tokens/Queries/GetToken/Validator.cs b/Modules/Tokens/src/Tokens.Application/Tokens/Queries/GetToken/Validator.cs
index 107c81664b..1791ce93f3 100644
--- a/Modules/Tokens/src/Tokens.Application/Tokens/Queries/GetToken/Validator.cs
+++ b/Modules/Tokens/src/Tokens.Application/Tokens/Queries/GetToken/Validator.cs
@@ -1,4 +1,5 @@
 using Backbone.BuildingBlocks.Application.Extensions;
+using Backbone.BuildingBlocks.Application.FluentValidation;
 using Backbone.Modules.Tokens.Domain.Entities;
 using FluentValidation;
 
@@ -9,5 +10,6 @@ public class Validator : AbstractValidator<GetTokenQuery>
     public Validator()
     {
         RuleFor(x => x.Id).ValidId<GetTokenQuery, TokenId>();
+        RuleFor(x => x.Password).NumberOfBytes(1, Token.MAX_PASSWORD_LENGTH).When(t => t.Password != null);
     }
 }
diff --git a/Modules/Tokens/src/Tokens.Application/Tokens/Queries/ListTokens/Handler.cs b/Modules/Tokens/src/Tokens.Application/Tokens/Queries/ListTokens/Handler.cs
index 0d9c7b8a75..df925b2cff 100644
--- a/Modules/Tokens/src/Tokens.Application/Tokens/Queries/ListTokens/Handler.cs
+++ b/Modules/Tokens/src/Tokens.Application/Tokens/Queries/ListTokens/Handler.cs
@@ -1,7 +1,6 @@
 using Backbone.BuildingBlocks.Application.Abstractions.Infrastructure.UserContext;
 using Backbone.DevelopmentKit.Identity.ValueObjects;
 using Backbone.Modules.Tokens.Application.Infrastructure.Persistence.Repository;
-using Backbone.Modules.Tokens.Domain.Entities;
 using MediatR;
 
 namespace Backbone.Modules.Tokens.Application.Tokens.Queries.ListTokens;
@@ -19,7 +18,7 @@ public Handler(ITokensRepository tokensRepository, IUserContext userContext)
 
     public async Task<ListTokensResponse> Handle(ListTokensQuery request, CancellationToken cancellationToken)
     {
-        var dbPaginationResult = await _tokensRepository.FindAllWithIds(_activeIdentity, request.Ids.Select(TokenId.Parse), request.PaginationFilter, cancellationToken);
+        var dbPaginationResult = await _tokensRepository.FindTokens(request.QueryItems, _activeIdentity, request.PaginationFilter, cancellationToken, track: false);
 
         return new ListTokensResponse(dbPaginationResult, request.PaginationFilter);
     }
diff --git a/Modules/Tokens/src/Tokens.Application/Tokens/Queries/ListTokens/ListTokensQuery.cs b/Modules/Tokens/src/Tokens.Application/Tokens/Queries/ListTokens/ListTokensQuery.cs
index df912053b4..0de15059d7 100644
--- a/Modules/Tokens/src/Tokens.Application/Tokens/Queries/ListTokens/ListTokensQuery.cs
+++ b/Modules/Tokens/src/Tokens.Application/Tokens/Queries/ListTokens/ListTokensQuery.cs
@@ -5,12 +5,18 @@ namespace Backbone.Modules.Tokens.Application.Tokens.Queries.ListTokens;
 
 public class ListTokensQuery : IRequest<ListTokensResponse>
 {
-    public ListTokensQuery(PaginationFilter paginationFilter, IEnumerable<string> ids)
+    public ListTokensQuery(PaginationFilter paginationFilter, IEnumerable<ListTokensQueryItem>? queries)
     {
         PaginationFilter = paginationFilter;
-        Ids = ids;
+        QueryItems = queries == null ? [] : queries.ToList();
     }
 
     public PaginationFilter PaginationFilter { get; set; }
-    public IEnumerable<string> Ids { get; set; }
+    public List<ListTokensQueryItem> QueryItems { get; set; }
+}
+
+public class ListTokensQueryItem
+{
+    public required string Id { get; set; }
+    public byte[]? Password { get; set; }
 }
diff --git a/Modules/Tokens/src/Tokens.Application/Tokens/Queries/ListTokens/Validator.cs b/Modules/Tokens/src/Tokens.Application/Tokens/Queries/ListTokens/Validator.cs
index eb222c7408..50ef87652f 100644
--- a/Modules/Tokens/src/Tokens.Application/Tokens/Queries/ListTokens/Validator.cs
+++ b/Modules/Tokens/src/Tokens.Application/Tokens/Queries/ListTokens/Validator.cs
@@ -1,5 +1,6 @@
 using Backbone.BuildingBlocks.Application.Abstractions.Exceptions;
 using Backbone.BuildingBlocks.Application.Extensions;
+using Backbone.BuildingBlocks.Application.FluentValidation;
 using Backbone.BuildingBlocks.Application.Pagination;
 using Backbone.Modules.Tokens.Domain.Entities;
 using FluentValidation;
@@ -12,7 +13,24 @@ public class Validator : AbstractValidator<ListTokensQuery>
     public Validator()
     {
         RuleFor(t => t.PaginationFilter).SetValidator(new PaginationFilterValidator()).When(t => t != null);
-        RuleForEach(x => x.Ids).ValidId<ListTokensQuery, TokenId>();
+
+        RuleFor(q => q.QueryItems)
+            .Cascade(CascadeMode.Stop)
+            .DetailedNotEmpty();
+
+        RuleForEach(x => x.QueryItems)
+            .Cascade(CascadeMode.Stop)
+            .ChildRules(queryItems =>
+            {
+                queryItems
+                    .RuleFor(query => query.Id)
+                    .ValidId<ListTokensQueryItem, TokenId>();
+
+                queryItems
+                    .RuleFor(query => query.Password)
+                    .NumberOfBytes(1, Token.MAX_PASSWORD_LENGTH)
+                    .When(query => query.Password != null);
+            });
     }
 }
 
diff --git a/Modules/Tokens/src/Tokens.ConsumerApi/Controllers/TokensController.cs b/Modules/Tokens/src/Tokens.ConsumerApi/Controllers/TokensController.cs
index 88f9654b8c..8caa366b79 100644
--- a/Modules/Tokens/src/Tokens.ConsumerApi/Controllers/TokensController.cs
+++ b/Modules/Tokens/src/Tokens.ConsumerApi/Controllers/TokensController.cs
@@ -1,3 +1,4 @@
+using System.Text.Json;
 using Backbone.BuildingBlocks.API;
 using Backbone.BuildingBlocks.API.Mvc;
 using Backbone.BuildingBlocks.API.Mvc.ControllerAttributes;
@@ -22,10 +23,12 @@ namespace Backbone.Modules.Tokens.ConsumerApi.Controllers;
 public class TokensController : ApiControllerBase
 {
     private readonly ApplicationOptions _options;
+    private readonly JsonSerializerOptions _jsonSerializerOptions;
 
-    public TokensController(IMediator mediator, IOptions<ApplicationOptions> options) : base(mediator)
+    public TokensController(IMediator mediator, IOptions<ApplicationOptions> options, IOptions<JsonOptions> jsonOptions) : base(mediator)
     {
         _options = options.Value;
+        _jsonSerializerOptions = jsonOptions.Value.JsonSerializerOptions;
     }
 
     [HttpPost]
@@ -40,24 +43,44 @@ public async Task<IActionResult> CreateToken(CreateTokenCommand request, Cancell
     [ProducesResponseType(typeof(HttpResponseEnvelopeResult<TokenDTO>), StatusCodes.Status200OK)]
     [ProducesError(StatusCodes.Status404NotFound)]
     [AllowAnonymous]
-    public async Task<IActionResult> GetToken([FromRoute] string id, CancellationToken cancellationToken)
+    public async Task<IActionResult> GetToken([FromRoute] string id, [FromQuery] byte[]? password, CancellationToken cancellationToken)
     {
-        var response = await _mediator.Send(new GetTokenQuery { Id = id }, cancellationToken);
+        var response = await _mediator.Send(new GetTokenQuery { Id = id, Password = password }, cancellationToken);
         return Ok(response);
     }
 
     [HttpGet]
     [ProducesResponseType(typeof(PagedHttpResponseEnvelope<TokenDTO>), StatusCodes.Status200OK)]
-    public async Task<IActionResult> ListTokens([FromQuery] PaginationFilter paginationFilter,
+    public async Task<IActionResult> ListTokens([FromQuery] PaginationFilter paginationFilter, [FromQuery] string? tokens,
         [FromQuery] IEnumerable<string> ids, CancellationToken cancellationToken)
     {
+        List<ListTokensQueryItem>? tokenQueryItems;
+
+        if (tokens != null)
+        {
+            try
+            {
+                tokenQueryItems = JsonSerializer.Deserialize<List<ListTokensQueryItem>>(tokens, _jsonSerializerOptions);
+            }
+            catch (JsonException ex)
+            {
+                throw new ApplicationException(GenericApplicationErrors.Validation.InputCannotBeParsed(ex.Message));
+            }
+        }
+        else
+        {
+            tokenQueryItems = ids.Select(id => new ListTokensQueryItem { Id = id }).ToList();
+        }
+
+        var request = new ListTokensQuery(paginationFilter, tokenQueryItems);
+
         paginationFilter.PageSize ??= _options.Pagination.DefaultPageSize;
 
         if (paginationFilter.PageSize > _options.Pagination.MaxPageSize)
             throw new ApplicationException(
                 GenericApplicationErrors.Validation.InvalidPageSize(_options.Pagination.MaxPageSize));
 
-        var response = await _mediator.Send(new ListTokensQuery(paginationFilter, ids), cancellationToken);
+        var response = await _mediator.Send(request, cancellationToken);
 
         return Paged(response);
     }
diff --git a/Modules/Tokens/src/Tokens.Domain/Entities/Token.cs b/Modules/Tokens/src/Tokens.Domain/Entities/Token.cs
index a9cc09c437..8f6510ac69 100644
--- a/Modules/Tokens/src/Tokens.Domain/Entities/Token.cs
+++ b/Modules/Tokens/src/Tokens.Domain/Entities/Token.cs
@@ -8,6 +8,8 @@ namespace Backbone.Modules.Tokens.Domain.Entities;
 
 public class Token : Entity
 {
+    public const int MAX_PASSWORD_LENGTH = 200;
+
     // ReSharper disable once UnusedMember.Local
     private Token()
     {
@@ -18,7 +20,7 @@ private Token()
         Content = null!;
     }
 
-    public Token(IdentityAddress createdBy, DeviceId createdByDevice, byte[] content, DateTime expiresAt, IdentityAddress? forIdentity = null)
+    public Token(IdentityAddress createdBy, DeviceId createdByDevice, byte[] content, DateTime expiresAt, IdentityAddress? forIdentity = null, byte[]? password = null)
     {
         Id = TokenId.New();
 
@@ -30,6 +32,7 @@ public Token(IdentityAddress createdBy, DeviceId createdByDevice, byte[] content
 
         Content = content;
         ForIdentity = forIdentity;
+        Password = password;
 
         RaiseDomainEvent(new TokenCreatedDomainEvent(this));
     }
@@ -40,13 +43,21 @@ public Token(IdentityAddress createdBy, DeviceId createdByDevice, byte[] content
     public DeviceId CreatedByDevice { get; set; }
 
     public IdentityAddress? ForIdentity { get; set; }
+    public byte[]? Password { get; set; }
 
     public byte[] Content { get; private set; }
     public DateTime CreatedAt { get; set; }
     public DateTime ExpiresAt { get; set; }
 
-    public static Expression<Func<Token, bool>> IsExpired =>
-        challenge => challenge.ExpiresAt <= SystemTime.UtcNow;
+    public bool CanBeCollectedUsingPassword(IdentityAddress? address, byte[]? password)
+    {
+        return
+            Password == null ||
+            password != null && Password.SequenceEqual(password) ||
+            CreatedBy == address; // The owner shouldn't need a password to get the template
+    }
+
+    #region Expressions
 
     public static Expression<Func<Token, bool>> IsNotExpired =>
         challenge => challenge.ExpiresAt > SystemTime.UtcNow;
@@ -60,4 +71,19 @@ public static Expression<Func<Token, bool>> WasCreatedBy(IdentityAddress identit
     {
         return t => t.CreatedBy == identityAddress.ToString();
     }
+
+    public static Expression<Func<Token, bool>> HasId(TokenId id)
+    {
+        return r => r.Id == id;
+    }
+
+    public static Expression<Func<Token, bool>> CanBeCollectedWithPassword(IdentityAddress address, byte[]? password)
+    {
+        return token =>
+            token.Password == null ||
+            token.Password == password ||
+            token.CreatedBy == address; // The owner shouldn't need a password to get the template
+    }
+
+    #endregion
 }
diff --git a/Modules/Tokens/src/Tokens.Infrastructure.Database.Postgres/Migrations/20241011123029_AddPasswordToToken.Designer.cs b/Modules/Tokens/src/Tokens.Infrastructure.Database.Postgres/Migrations/20241011123029_AddPasswordToToken.Designer.cs
new file mode 100644
index 0000000000..3380426013
--- /dev/null
+++ b/Modules/Tokens/src/Tokens.Infrastructure.Database.Postgres/Migrations/20241011123029_AddPasswordToToken.Designer.cs
@@ -0,0 +1,77 @@
+// <auto-generated />
+using System;
+using Backbone.Modules.Tokens.Infrastructure.Persistence.Database;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Infrastructure;
+using Microsoft.EntityFrameworkCore.Migrations;
+using Microsoft.EntityFrameworkCore.Storage.ValueConversion;
+using Npgsql.EntityFrameworkCore.PostgreSQL.Metadata;
+
+#nullable disable
+
+namespace Backbone.Modules.Tokens.Infrastructure.Database.Postgres.Migrations
+{
+    [DbContext(typeof(TokensDbContext))]
+    [Migration("20241011123029_AddPasswordToToken")]
+    partial class AddPasswordToToken
+    {
+        /// <inheritdoc />
+        protected override void BuildTargetModel(ModelBuilder modelBuilder)
+        {
+#pragma warning disable 612, 618
+            modelBuilder
+                .HasDefaultSchema("Tokens")
+                .HasAnnotation("ProductVersion", "8.0.10")
+                .HasAnnotation("Relational:MaxIdentifierLength", 63);
+
+            NpgsqlModelBuilderExtensions.UseIdentityByDefaultColumns(modelBuilder);
+
+            modelBuilder.Entity("Backbone.Modules.Tokens.Domain.Entities.Token", b =>
+                {
+                    b.Property<string>("Id")
+                        .HasMaxLength(20)
+                        .IsUnicode(false)
+                        .HasColumnType("character(20)")
+                        .IsFixedLength();
+
+                    b.Property<byte[]>("Content")
+                        .HasColumnType("bytea");
+
+                    b.Property<DateTime>("CreatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("CreatedBy")
+                        .IsRequired()
+                        .HasMaxLength(80)
+                        .IsUnicode(false)
+                        .HasColumnType("character varying(80)")
+                        .IsFixedLength(false);
+
+                    b.Property<string>("CreatedByDevice")
+                        .IsRequired()
+                        .HasMaxLength(20)
+                        .IsUnicode(false)
+                        .HasColumnType("character(20)")
+                        .IsFixedLength();
+
+                    b.Property<DateTime>("ExpiresAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("ForIdentity")
+                        .HasMaxLength(80)
+                        .IsUnicode(false)
+                        .HasColumnType("character varying(80)")
+                        .IsFixedLength(false);
+
+                    b.Property<byte[]>("Password")
+                        .HasMaxLength(200)
+                        .HasColumnType("bytea");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("Tokens", "Tokens");
+                });
+#pragma warning restore 612, 618
+        }
+    }
+}
diff --git a/Modules/Tokens/src/Tokens.Infrastructure.Database.Postgres/Migrations/20241011123029_AddPasswordToToken.cs b/Modules/Tokens/src/Tokens.Infrastructure.Database.Postgres/Migrations/20241011123029_AddPasswordToToken.cs
new file mode 100644
index 0000000000..fd4787e984
--- /dev/null
+++ b/Modules/Tokens/src/Tokens.Infrastructure.Database.Postgres/Migrations/20241011123029_AddPasswordToToken.cs
@@ -0,0 +1,31 @@
+using Microsoft.EntityFrameworkCore.Migrations;
+
+#nullable disable
+
+namespace Backbone.Modules.Tokens.Infrastructure.Database.Postgres.Migrations
+{
+    /// <inheritdoc />
+    public partial class AddPasswordToToken : Migration
+    {
+        /// <inheritdoc />
+        protected override void Up(MigrationBuilder migrationBuilder)
+        {
+            migrationBuilder.AddColumn<byte[]>(
+                name: "Password",
+                schema: "Tokens",
+                table: "Tokens",
+                type: "bytea",
+                maxLength: 200,
+                nullable: true);
+        }
+
+        /// <inheritdoc />
+        protected override void Down(MigrationBuilder migrationBuilder)
+        {
+            migrationBuilder.DropColumn(
+                name: "Password",
+                schema: "Tokens",
+                table: "Tokens");
+        }
+    }
+}
diff --git a/Modules/Tokens/src/Tokens.Infrastructure.Database.Postgres/Migrations/TokensDbContextModelSnapshot.cs b/Modules/Tokens/src/Tokens.Infrastructure.Database.Postgres/Migrations/TokensDbContextModelSnapshot.cs
index bd02e2d9b9..5a55a5d951 100644
--- a/Modules/Tokens/src/Tokens.Infrastructure.Database.Postgres/Migrations/TokensDbContextModelSnapshot.cs
+++ b/Modules/Tokens/src/Tokens.Infrastructure.Database.Postgres/Migrations/TokensDbContextModelSnapshot.cs
@@ -18,7 +18,7 @@ protected override void BuildModel(ModelBuilder modelBuilder)
 #pragma warning disable 612, 618
             modelBuilder
                 .HasDefaultSchema("Tokens")
-                .HasAnnotation("ProductVersion", "8.0.7")
+                .HasAnnotation("ProductVersion", "8.0.10")
                 .HasAnnotation("Relational:MaxIdentifierLength", 63);
 
             NpgsqlModelBuilderExtensions.UseIdentityByDefaultColumns(modelBuilder);
@@ -60,6 +60,10 @@ protected override void BuildModel(ModelBuilder modelBuilder)
                         .HasColumnType("character varying(80)")
                         .IsFixedLength(false);
 
+                    b.Property<byte[]>("Password")
+                        .HasMaxLength(200)
+                        .HasColumnType("bytea");
+
                     b.HasKey("Id");
 
                     b.ToTable("Tokens", "Tokens");
diff --git a/Modules/Tokens/src/Tokens.Infrastructure.Database.SqlServer/Migrations/20241011123022_AddPasswordToToken.Designer.cs b/Modules/Tokens/src/Tokens.Infrastructure.Database.SqlServer/Migrations/20241011123022_AddPasswordToToken.Designer.cs
new file mode 100644
index 0000000000..53d8ae7ac1
--- /dev/null
+++ b/Modules/Tokens/src/Tokens.Infrastructure.Database.SqlServer/Migrations/20241011123022_AddPasswordToToken.Designer.cs
@@ -0,0 +1,77 @@
+// <auto-generated />
+using System;
+using Backbone.Modules.Tokens.Infrastructure.Persistence.Database;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Infrastructure;
+using Microsoft.EntityFrameworkCore.Metadata;
+using Microsoft.EntityFrameworkCore.Migrations;
+using Microsoft.EntityFrameworkCore.Storage.ValueConversion;
+
+#nullable disable
+
+namespace Backbone.Modules.Tokens.Infrastructure.Database.SqlServer.Migrations
+{
+    [DbContext(typeof(TokensDbContext))]
+    [Migration("20241011123022_AddPasswordToToken")]
+    partial class AddPasswordToToken
+    {
+        /// <inheritdoc />
+        protected override void BuildTargetModel(ModelBuilder modelBuilder)
+        {
+#pragma warning disable 612, 618
+            modelBuilder
+                .HasDefaultSchema("Tokens")
+                .HasAnnotation("ProductVersion", "8.0.10")
+                .HasAnnotation("Relational:MaxIdentifierLength", 128);
+
+            SqlServerModelBuilderExtensions.UseIdentityColumns(modelBuilder);
+
+            modelBuilder.Entity("Backbone.Modules.Tokens.Domain.Entities.Token", b =>
+                {
+                    b.Property<string>("Id")
+                        .HasMaxLength(20)
+                        .IsUnicode(false)
+                        .HasColumnType("char(20)")
+                        .IsFixedLength();
+
+                    b.Property<byte[]>("Content")
+                        .HasColumnType("varbinary(max)");
+
+                    b.Property<DateTime>("CreatedAt")
+                        .HasColumnType("datetime2");
+
+                    b.Property<string>("CreatedBy")
+                        .IsRequired()
+                        .HasMaxLength(80)
+                        .IsUnicode(false)
+                        .HasColumnType("varchar(80)")
+                        .IsFixedLength(false);
+
+                    b.Property<string>("CreatedByDevice")
+                        .IsRequired()
+                        .HasMaxLength(20)
+                        .IsUnicode(false)
+                        .HasColumnType("char(20)")
+                        .IsFixedLength();
+
+                    b.Property<DateTime>("ExpiresAt")
+                        .HasColumnType("datetime2");
+
+                    b.Property<string>("ForIdentity")
+                        .HasMaxLength(80)
+                        .IsUnicode(false)
+                        .HasColumnType("varchar(80)")
+                        .IsFixedLength(false);
+
+                    b.Property<byte[]>("Password")
+                        .HasMaxLength(200)
+                        .HasColumnType("varbinary(200)");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("Tokens", "Tokens");
+                });
+#pragma warning restore 612, 618
+        }
+    }
+}
diff --git a/Modules/Tokens/src/Tokens.Infrastructure.Database.SqlServer/Migrations/20241011123022_AddPasswordToToken.cs b/Modules/Tokens/src/Tokens.Infrastructure.Database.SqlServer/Migrations/20241011123022_AddPasswordToToken.cs
new file mode 100644
index 0000000000..149f8e7ffc
--- /dev/null
+++ b/Modules/Tokens/src/Tokens.Infrastructure.Database.SqlServer/Migrations/20241011123022_AddPasswordToToken.cs
@@ -0,0 +1,31 @@
+using Microsoft.EntityFrameworkCore.Migrations;
+
+#nullable disable
+
+namespace Backbone.Modules.Tokens.Infrastructure.Database.SqlServer.Migrations
+{
+    /// <inheritdoc />
+    public partial class AddPasswordToToken : Migration
+    {
+        /// <inheritdoc />
+        protected override void Up(MigrationBuilder migrationBuilder)
+        {
+            migrationBuilder.AddColumn<byte[]>(
+                name: "Password",
+                schema: "Tokens",
+                table: "Tokens",
+                type: "varbinary(200)",
+                maxLength: 200,
+                nullable: true);
+        }
+
+        /// <inheritdoc />
+        protected override void Down(MigrationBuilder migrationBuilder)
+        {
+            migrationBuilder.DropColumn(
+                name: "Password",
+                schema: "Tokens",
+                table: "Tokens");
+        }
+    }
+}
diff --git a/Modules/Tokens/src/Tokens.Infrastructure.Database.SqlServer/Migrations/TokensDbContextModelSnapshot.cs b/Modules/Tokens/src/Tokens.Infrastructure.Database.SqlServer/Migrations/TokensDbContextModelSnapshot.cs
index 3e5621dfe4..8d6b40d9b2 100644
--- a/Modules/Tokens/src/Tokens.Infrastructure.Database.SqlServer/Migrations/TokensDbContextModelSnapshot.cs
+++ b/Modules/Tokens/src/Tokens.Infrastructure.Database.SqlServer/Migrations/TokensDbContextModelSnapshot.cs
@@ -18,7 +18,7 @@ protected override void BuildModel(ModelBuilder modelBuilder)
 #pragma warning disable 612, 618
             modelBuilder
                 .HasDefaultSchema("Tokens")
-                .HasAnnotation("ProductVersion", "8.0.7")
+                .HasAnnotation("ProductVersion", "8.0.10")
                 .HasAnnotation("Relational:MaxIdentifierLength", 128);
 
             SqlServerModelBuilderExtensions.UseIdentityColumns(modelBuilder);
@@ -60,6 +60,10 @@ protected override void BuildModel(ModelBuilder modelBuilder)
                         .HasColumnType("varchar(80)")
                         .IsFixedLength(false);
 
+                    b.Property<byte[]>("Password")
+                        .HasMaxLength(200)
+                        .HasColumnType("varbinary(200)");
+
                     b.HasKey("Id");
 
                     b.ToTable("Tokens", "Tokens");
diff --git a/Modules/Tokens/src/Tokens.Infrastructure/Persistence/Database/EntityConfigurations/TokenEntityTypeConfiguration.cs b/Modules/Tokens/src/Tokens.Infrastructure/Persistence/Database/EntityConfigurations/TokenEntityTypeConfiguration.cs
index 58ec0d0e26..a8a6b95f4a 100644
--- a/Modules/Tokens/src/Tokens.Infrastructure/Persistence/Database/EntityConfigurations/TokenEntityTypeConfiguration.cs
+++ b/Modules/Tokens/src/Tokens.Infrastructure/Persistence/Database/EntityConfigurations/TokenEntityTypeConfiguration.cs
@@ -11,5 +11,7 @@ public override void Configure(EntityTypeBuilder<Token> builder)
         base.Configure(builder);
 
         builder.Property(r => r.Content).IsRequired(false);
+
+        builder.Property(x => x.Password).HasMaxLength(Token.MAX_PASSWORD_LENGTH);
     }
 }
diff --git a/Modules/Tokens/src/Tokens.Infrastructure/Persistence/Repository/TokensRepository.cs b/Modules/Tokens/src/Tokens.Infrastructure/Persistence/Repository/TokensRepository.cs
index 147b2c27fd..5693d75373 100644
--- a/Modules/Tokens/src/Tokens.Infrastructure/Persistence/Repository/TokensRepository.cs
+++ b/Modules/Tokens/src/Tokens.Infrastructure/Persistence/Repository/TokensRepository.cs
@@ -4,6 +4,7 @@
 using Backbone.BuildingBlocks.Application.Pagination;
 using Backbone.DevelopmentKit.Identity.ValueObjects;
 using Backbone.Modules.Tokens.Application.Infrastructure.Persistence.Repository;
+using Backbone.Modules.Tokens.Application.Tokens.Queries.ListTokens;
 using Backbone.Modules.Tokens.Domain.Entities;
 using Backbone.Modules.Tokens.Infrastructure.Persistence.Database;
 using Microsoft.EntityFrameworkCore;
@@ -23,12 +24,37 @@ public TokensRepository(TokensDbContext dbContext)
         _readonlyTokensDbSet = dbContext.Tokens.AsNoTracking();
     }
 
-    public async Task<Token?> Find(TokenId id, IdentityAddress? activeIdentity)
+    public async Task<DbPaginationResult<Token>> FindTokens(IEnumerable<ListTokensQueryItem> queryItems, IdentityAddress activeIdentity,
+        PaginationFilter paginationFilter, CancellationToken cancellationToken, bool track = false)
+    {
+        var queryItemsList = queryItems.ToList();
+
+        Expression<Func<Token, bool>> idAndPasswordFilter = template => false;
+
+        foreach (var inputQuery in queryItemsList)
+        {
+            idAndPasswordFilter = idAndPasswordFilter
+                .Or(Token.HasId(TokenId.Parse(inputQuery.Id))
+                    .And(Token.CanBeCollectedWithPassword(activeIdentity, inputQuery.Password)));
+        }
+
+        var query = (track ? _tokensDbSet : _readonlyTokensDbSet)
+            .Where(Token.IsNotExpired)
+            .Where(Token.CanBeCollectedBy(activeIdentity))
+            .Where(idAndPasswordFilter);
+
+        var templates = await query.OrderAndPaginate(d => d.CreatedAt, paginationFilter, cancellationToken);
+
+        return templates;
+    }
+
+    public async Task<Token?> Find(TokenId id, IdentityAddress? activeIdentity, CancellationToken cancellationToken, bool track = false)
     {
         var token = await _readonlyTokensDbSet
             .Where(Token.IsNotExpired)
             .Where(Token.CanBeCollectedBy(activeIdentity))
-            .FirstOrDefaultAsync(t => t.Id == id);
+            .Where(Token.HasId(id))
+            .FirstOrDefaultAsync(cancellationToken);
 
         return token;
     }
diff --git a/Modules/Tokens/test/Tokens.Application.Tests/Tests/Tokens/CreateToken/ValidatorTests.cs b/Modules/Tokens/test/Tokens.Application.Tests/Tests/Tokens/CreateToken/ValidatorTests.cs
index df5f0c3687..dfb86d96cc 100644
--- a/Modules/Tokens/test/Tokens.Application.Tests/Tests/Tokens/CreateToken/ValidatorTests.cs
+++ b/Modules/Tokens/test/Tokens.Application.Tests/Tests/Tokens/CreateToken/ValidatorTests.cs
@@ -10,17 +10,29 @@ namespace Backbone.Modules.Tokens.Application.Tests.Tests.Tokens.CreateToken;
 
 public class ValidatorTests : AbstractTestsBase
 {
-    [Theory]
-    [InlineData("did:e:prod.enmeshed.eu:dids:70cf4f3e6edf6bca33d35f")]
-    [InlineData(null)]
-    public void Happy_Path(string? forIdentity)
+    [Fact]
+    public void Happy_Path_with_optional_parameters()
+    {
+        // Arrange
+        var validator = new Validator();
+
+        // Act
+        var validationResult = validator.TestValidate(
+            new CreateTokenCommand { Content = [1], ExpiresAt = DateTime.UtcNow.AddDays(1), ForIdentity = "did:e:prod.enmeshed.eu:dids:70cf4f3e6edf6bca33d35f", Password = [1, 2, 3] });
+
+        // Assert
+        validationResult.ShouldNotHaveAnyValidationErrors();
+    }
+
+    [Fact]
+    public void Happy_Path_without_optional_parameters()
     {
         // Arrange
         var validator = new Validator();
 
         // Act
         var validationResult = validator.TestValidate(
-            new CreateTokenCommand { Content = [1], ExpiresAt = DateTime.UtcNow.AddDays(1), ForIdentity = forIdentity });
+            new CreateTokenCommand { Content = [1], ExpiresAt = DateTime.UtcNow.AddDays(1) });
 
         // Assert
         validationResult.ShouldNotHaveAnyValidationErrors();
@@ -69,4 +81,21 @@ public void Fails_when_ForIdentity_is_invalid()
         // Assert
         validationResult.ShouldHaveValidationErrorForId(nameof(Token.ForIdentity));
     }
+
+    [Fact]
+    public void Fails_when_Password_is_too_long()
+    {
+        // Arrange
+        var validator = new Validator();
+
+        var password = new byte[250];
+        new Random().NextBytes(password);
+
+        // Act
+        var validationResult = validator.TestValidate(new CreateTokenCommand { Content = [1], ExpiresAt = DateTime.UtcNow.AddDays(1), Password = password });
+
+        // Assert
+        validationResult.ShouldHaveValidationErrorForItem(nameof(CreateTokenCommand.Password), "error.platform.validation.invalidPropertyValue",
+            "'Password' must be between 1 and 200 bytes long. You entered 250 bytes.");
+    }
 }
diff --git a/Modules/Tokens/test/Tokens.Domain.Tests/TestHelpers/TestData.cs b/Modules/Tokens/test/Tokens.Domain.Tests/TestHelpers/TestData.cs
index c6217d994c..0bd10f22aa 100644
--- a/Modules/Tokens/test/Tokens.Domain.Tests/TestHelpers/TestData.cs
+++ b/Modules/Tokens/test/Tokens.Domain.Tests/TestHelpers/TestData.cs
@@ -4,8 +4,8 @@
 namespace Backbone.Modules.Tokens.Domain.Tests.TestHelpers;
 public class TestData
 {
-    public static Token CreateToken(IdentityAddress createdBy, IdentityAddress? forIdentity)
+    public static Token CreateToken(IdentityAddress createdBy, IdentityAddress? forIdentity, byte[]? password = null)
     {
-        return new Token(createdBy, DeviceId.Parse("DVC1"), [], DateTime.Now.AddDays(1), forIdentity);
+        return new Token(createdBy, DeviceId.Parse("DVC1"), [], DateTime.Now.AddDays(1), forIdentity, password);
     }
 }
diff --git a/Modules/Tokens/test/Tokens.Domain.Tests/Tests/TokenCanBeCollectedUsingPasswordTests.cs b/Modules/Tokens/test/Tokens.Domain.Tests/Tests/TokenCanBeCollectedUsingPasswordTests.cs
new file mode 100644
index 0000000000..4724ac39df
--- /dev/null
+++ b/Modules/Tokens/test/Tokens.Domain.Tests/Tests/TokenCanBeCollectedUsingPasswordTests.cs
@@ -0,0 +1,102 @@
+using Backbone.Modules.Tokens.Domain.Tests.TestHelpers;
+using Backbone.UnitTestTools.Data;
+using FluentAssertions;
+using Xunit;
+
+namespace Backbone.Modules.Tokens.Domain.Tests.Tests;
+
+public class TokenCanBeCollectedUsingPasswordTests
+{
+    [Fact]
+    public void Can_collect_without_a_password_when_no_password_is_defined()
+    {
+        // Arrange
+        var creator = TestDataGenerator.CreateRandomIdentityAddress();
+        var collector = TestDataGenerator.CreateRandomIdentityAddress();
+
+        var template = TestData.CreateToken(creator, null);
+
+        // Act
+        var result = template.CanBeCollectedUsingPassword(collector, null);
+
+        // Assert
+        result.Should().BeTrue();
+    }
+
+    [Fact]
+    public void Can_collect_with_a_password_when_no_password_is_defined()
+    {
+        // Arrange
+        var creator = TestDataGenerator.CreateRandomIdentityAddress();
+        var collector = TestDataGenerator.CreateRandomIdentityAddress();
+
+        var template = TestData.CreateToken(creator, null);
+
+        // Act
+        var result = template.CanBeCollectedUsingPassword(collector, [1]);
+
+        // Assert
+        result.Should().BeTrue();
+    }
+
+    [Fact]
+    public void Can_collect_with_correct_password()
+    {
+        // Arrange
+        var creator = TestDataGenerator.CreateRandomIdentityAddress();
+        var collector = TestDataGenerator.CreateRandomIdentityAddress();
+
+        var template = TestData.CreateToken(creator, null, password: [1]);
+
+        // Act
+        var result = template.CanBeCollectedUsingPassword(collector, [1]);
+
+        // Assert
+        result.Should().BeTrue();
+    }
+
+    [Fact]
+    public void Cannot_collect_with_incorrect_password()
+    {
+        // Arrange
+        var creator = TestDataGenerator.CreateRandomIdentityAddress();
+        var collector = TestDataGenerator.CreateRandomIdentityAddress();
+
+        var template = TestData.CreateToken(creator, null, password: [1]);
+
+        // Act
+        var result = template.CanBeCollectedUsingPassword(collector, [2]);
+
+        // Assert
+        result.Should().BeFalse();
+    }
+
+    [Fact]
+    public void Can_collect_as_owner_without_a_password()
+    {
+        // Arrange
+        var creator = TestDataGenerator.CreateRandomIdentityAddress();
+
+        var template = TestData.CreateToken(creator, null, password: [1]);
+
+        // Act
+        var result = template.CanBeCollectedUsingPassword(creator, null);
+
+        // Assert
+        result.Should().BeTrue();
+    }
+
+    [Fact]
+    public void Can_collect_as_anonymous_user_with_correct_password()
+    {
+        // Arrange
+        var creator = TestDataGenerator.CreateRandomIdentityAddress();
+        var template = TestData.CreateToken(creator, null, password: [1]);
+
+        // Act
+        var result = template.CanBeCollectedUsingPassword(null, [1]);
+
+        // Assert
+        result.Should().BeTrue();
+    }
+}
diff --git a/Sdks/ConsumerApi.Sdk/src/Endpoints/RelationshipTemplates/RelationshipTemplatesEndpoint.cs b/Sdks/ConsumerApi.Sdk/src/Endpoints/RelationshipTemplates/RelationshipTemplatesEndpoint.cs
index 1ba0415e10..88111406e7 100644
--- a/Sdks/ConsumerApi.Sdk/src/Endpoints/RelationshipTemplates/RelationshipTemplatesEndpoint.cs
+++ b/Sdks/ConsumerApi.Sdk/src/Endpoints/RelationshipTemplates/RelationshipTemplatesEndpoint.cs
@@ -9,7 +9,7 @@ namespace Backbone.ConsumerApi.Sdk.Endpoints.RelationshipTemplates;
 
 public class RelationshipTemplatesEndpoint(EndpointClient client) : ConsumerApiEndpoint(client)
 {
-    public async Task<ApiResponse<ListRelationshipTemplatesResponse>> ListTemplates(IEnumerable<RelationshipTemplateQueryItem> queryItems, PaginationFilter? pagination = null)
+    public async Task<ApiResponse<ListRelationshipTemplatesResponse>> ListTemplates(IEnumerable<ListRelationshipTemplatesQueryItem> queryItems, PaginationFilter? pagination = null)
     {
         return await _client
             .Request<ListRelationshipTemplatesResponse>(HttpMethod.Get, $"api/{API_VERSION}/RelationshipTemplates")
@@ -37,7 +37,7 @@ public async Task<ApiResponse<CreateRelationshipTemplateResponse>> CreateTemplat
 
 file static class RelationshipTemplateQueryExtensions
 {
-    public static string ToJson(this IEnumerable<RelationshipTemplateQueryItem> queryItems)
+    public static string ToJson(this IEnumerable<ListRelationshipTemplatesQueryItem> queryItems)
     {
         return JsonConvert.SerializeObject(queryItems, new JsonSerializerSettings { NullValueHandling = NullValueHandling.Ignore, Formatting = Formatting.None });
     }
diff --git a/Sdks/ConsumerApi.Sdk/src/Endpoints/RelationshipTemplates/Types/Requests/RelationshipTemplateQueryItem.cs b/Sdks/ConsumerApi.Sdk/src/Endpoints/RelationshipTemplates/Types/Requests/ListRelationshipTemplatesQueryItem.cs
similarity index 78%
rename from Sdks/ConsumerApi.Sdk/src/Endpoints/RelationshipTemplates/Types/Requests/RelationshipTemplateQueryItem.cs
rename to Sdks/ConsumerApi.Sdk/src/Endpoints/RelationshipTemplates/Types/Requests/ListRelationshipTemplatesQueryItem.cs
index 3f4482136c..caf23774fa 100644
--- a/Sdks/ConsumerApi.Sdk/src/Endpoints/RelationshipTemplates/Types/Requests/RelationshipTemplateQueryItem.cs
+++ b/Sdks/ConsumerApi.Sdk/src/Endpoints/RelationshipTemplates/Types/Requests/ListRelationshipTemplatesQueryItem.cs
@@ -1,6 +1,6 @@
 namespace Backbone.ConsumerApi.Sdk.Endpoints.RelationshipTemplates.Types.Requests;
 
-public class RelationshipTemplateQueryItem
+public class ListRelationshipTemplatesQueryItem
 {
     public required string Id { get; set; }
     public byte[]? Password { get; set; }
diff --git a/Sdks/ConsumerApi.Sdk/src/Endpoints/Tokens/TokensEndpoint.cs b/Sdks/ConsumerApi.Sdk/src/Endpoints/Tokens/TokensEndpoint.cs
index eb15a858bb..5e072cfc70 100644
--- a/Sdks/ConsumerApi.Sdk/src/Endpoints/Tokens/TokensEndpoint.cs
+++ b/Sdks/ConsumerApi.Sdk/src/Endpoints/Tokens/TokensEndpoint.cs
@@ -23,13 +23,13 @@ public async Task<ApiResponse<ListTokensResponse>> ListTokens(PaginationFilter?
         return await _client.Get<ListTokensResponse>($"api/{API_VERSION}/Tokens", null, pagination);
     }
 
-    public async Task<ApiResponse<ListTokensResponse>> ListTokens(IEnumerable<string> ids, PaginationFilter? pagination = null)
+    public async Task<ApiResponse<ListTokensResponse>> ListTokens(IEnumerable<ListTokensQueryItem> queryItems, PaginationFilter? pagination = null)
     {
         return await _client
             .Request<ListTokensResponse>(HttpMethod.Get, $"api/{API_VERSION}/Tokens")
             .Authenticate()
             .WithPagination(pagination)
-            .AddQueryParameter("ids", ids)
+            .AddQueryParameter("tokens", queryItems)
             .Execute();
     }
 
@@ -38,8 +38,18 @@ public async Task<ApiResponse<Token>> GetTokenUnauthenticated(string id)
         return await _client.GetUnauthenticated<Token>($"api/{API_VERSION}/Tokens/{id}");
     }
 
+    public async Task<ApiResponse<Token>> GetTokenUnauthenticated(string id, byte[] password)
+    {
+        return await _client.GetUnauthenticated<Token>($"api/{API_VERSION}/Tokens/{id}?password={Convert.ToBase64String(password)}");
+    }
+
     public async Task<ApiResponse<Token>> GetToken(string id)
     {
         return await _client.Get<Token>($"api/{API_VERSION}/Tokens/{id}");
     }
+
+    public async Task<ApiResponse<Token>> GetToken(string id, byte[] password)
+    {
+        return await _client.Get<Token>($"api/{API_VERSION}/Tokens/{id}?password={Convert.ToBase64String(password)}");
+    }
 }
diff --git a/Sdks/ConsumerApi.Sdk/src/Endpoints/Tokens/Types/Requests/CreateTokenRequest.cs b/Sdks/ConsumerApi.Sdk/src/Endpoints/Tokens/Types/Requests/CreateTokenRequest.cs
index 53b00f472f..a9c8495094 100644
--- a/Sdks/ConsumerApi.Sdk/src/Endpoints/Tokens/Types/Requests/CreateTokenRequest.cs
+++ b/Sdks/ConsumerApi.Sdk/src/Endpoints/Tokens/Types/Requests/CreateTokenRequest.cs
@@ -5,4 +5,5 @@ public class CreateTokenRequest
     public required byte[] Content { get; set; }
     public required DateTime ExpiresAt { get; set; }
     public string? ForIdentity { get; set; }
+    public byte[]? Password { get; set; }
 }
diff --git a/Sdks/ConsumerApi.Sdk/src/Endpoints/Tokens/Types/Requests/ListTokensQueryItem.cs b/Sdks/ConsumerApi.Sdk/src/Endpoints/Tokens/Types/Requests/ListTokensQueryItem.cs
new file mode 100644
index 0000000000..6e2dd95bb5
--- /dev/null
+++ b/Sdks/ConsumerApi.Sdk/src/Endpoints/Tokens/Types/Requests/ListTokensQueryItem.cs
@@ -0,0 +1,7 @@
+namespace Backbone.ConsumerApi.Sdk.Endpoints.Tokens.Types.Requests;
+
+public class ListTokensQueryItem
+{
+    public required string Id { get; set; }
+    public byte[]? Password { get; set; }
+}