diff --git a/scm-core/src/main/java/sonia/scm/security/AccessToken.java b/scm-core/src/main/java/sonia/scm/security/AccessToken.java
index c2a5f4b747..ac7700b030 100644
--- a/scm-core/src/main/java/sonia/scm/security/AccessToken.java
+++ b/scm-core/src/main/java/sonia/scm/security/AccessToken.java
@@ -80,8 +80,20 @@ public interface AccessToken {
    */
   Date getExpiration();
 
+  /**
+   * Returns refresh expiration of token.
+   *
+   * @return refresh expiration
+   */
   Optional<Date> getRefreshExpiration();
 
+  /**
+   * Returns id of the parent key.
+   *
+   * @return parent key id
+   */
+  Optional<String> getParentKey();
+
   /**
    * Returns the scope of the token. The scope is able to reduce the permissions of the subject in the context of this
    * token. For example we could issue a token which can only be used to read a single repository. for more informations
diff --git a/scm-webapp/src/main/java/sonia/scm/security/JwtAccessToken.java b/scm-webapp/src/main/java/sonia/scm/security/JwtAccessToken.java
index 8fb5929188..4418cb40a8 100644
--- a/scm-webapp/src/main/java/sonia/scm/security/JwtAccessToken.java
+++ b/scm-webapp/src/main/java/sonia/scm/security/JwtAccessToken.java
@@ -87,6 +87,7 @@ public final class JwtAccessToken implements AccessToken {
     return ofNullable(claims.get(REFRESHABLE_UNTIL_CLAIM_KEY, Date.class));
   }
 
+  @Override
   public Optional<String> getParentKey() {
     return ofNullable(claims.get(PARENT_TOKEN_ID_CLAIM_KEY).toString());
   }