Users can only work on their own access tokens [('user_id', '=', user.id)]