diff --git a/.idea/dataSources/74bcf3ef-a2b9-435b-b9e5-f32902a33b25.xml b/.idea/dataSources/74bcf3ef-a2b9-435b-b9e5-f32902a33b25.xml
index 548fa8f..fe94dab 100644
--- a/.idea/dataSources/74bcf3ef-a2b9-435b-b9e5-f32902a33b25.xml
+++ b/.idea/dataSources/74bcf3ef-a2b9-435b-b9e5-f32902a33b25.xml
@@ -838,50 +838,50 @@ false Zulu
       <Replication>1</Replication>
       <SuperRole>1</SuperRole>
     </role>
-    <role id="8" parent="1" name="pg_checkpoint">
-      <ObjectId>4544</ObjectId>
-    </role>
-    <role id="9" parent="1" name="pg_create_subscription">
-      <ObjectId>6304</ObjectId>
-    </role>
-    <role id="10" parent="1" name="pg_database_owner">
+    <role id="8" parent="1" name="pg_database_owner">
       <ObjectId>6171</ObjectId>
     </role>
-    <role id="11" parent="1" name="pg_execute_server_program">
-      <ObjectId>4571</ObjectId>
+    <role id="9" parent="1" name="pg_read_all_data">
+      <ObjectId>6181</ObjectId>
     </role>
-    <role id="12" parent="1" name="pg_monitor">
+    <role id="10" parent="1" name="pg_write_all_data">
+      <ObjectId>6182</ObjectId>
+    </role>
+    <role id="11" parent="1" name="pg_monitor">
       <ObjectId>3373</ObjectId>
       <RoleGrants>3374
 3375
 3377</RoleGrants>
     </role>
-    <role id="13" parent="1" name="pg_read_all_data">
-      <ObjectId>6181</ObjectId>
-    </role>
-    <role id="14" parent="1" name="pg_read_all_settings">
+    <role id="12" parent="1" name="pg_read_all_settings">
       <ObjectId>3374</ObjectId>
     </role>
-    <role id="15" parent="1" name="pg_read_all_stats">
+    <role id="13" parent="1" name="pg_read_all_stats">
       <ObjectId>3375</ObjectId>
     </role>
-    <role id="16" parent="1" name="pg_read_server_files">
-      <ObjectId>4569</ObjectId>
-    </role>
-    <role id="17" parent="1" name="pg_signal_backend">
-      <ObjectId>4200</ObjectId>
-    </role>
-    <role id="18" parent="1" name="pg_stat_scan_tables">
+    <role id="14" parent="1" name="pg_stat_scan_tables">
       <ObjectId>3377</ObjectId>
     </role>
-    <role id="19" parent="1" name="pg_use_reserved_connections">
+    <role id="15" parent="1" name="pg_read_server_files">
+      <ObjectId>4569</ObjectId>
+    </role>
+    <role id="16" parent="1" name="pg_write_server_files">
+      <ObjectId>4570</ObjectId>
+    </role>
+    <role id="17" parent="1" name="pg_execute_server_program">
+      <ObjectId>4571</ObjectId>
+    </role>
+    <role id="18" parent="1" name="pg_signal_backend">
+      <ObjectId>4200</ObjectId>
+    </role>
+    <role id="19" parent="1" name="pg_checkpoint">
+      <ObjectId>4544</ObjectId>
+    </role>
+    <role id="20" parent="1" name="pg_use_reserved_connections">
       <ObjectId>4550</ObjectId>
     </role>
-    <role id="20" parent="1" name="pg_write_all_data">
-      <ObjectId>6182</ObjectId>
-    </role>
-    <role id="21" parent="1" name="pg_write_server_files">
-      <ObjectId>4570</ObjectId>
+    <role id="21" parent="1" name="pg_create_subscription">
+      <ObjectId>6304</ObjectId>
     </role>
     <role id="22" parent="1" name="postgres">
       <CanLogin>1</CanLogin>
diff --git a/.idea/workspace.xml b/.idea/workspace.xml
index 54c3c1d..076fae6 100644
--- a/.idea/workspace.xml
+++ b/.idea/workspace.xml
@@ -4,13 +4,10 @@
     <option name="autoReloadType" value="ALL" />
   </component>
   <component name="ChangeListManager">
-    <list default="true" id="3fefb2c4-b6f9-466b-a523-53352e8d6f95" name="更改" comment=":sparkles: Bug fixes of permission check">
+    <list default="true" id="3fefb2c4-b6f9-466b-a523-53352e8d6f95" name="更改" comment=":sparkles: Check permissions GRPC method">
+      <change beforePath="$PROJECT_DIR$/.idea/dataSources/74bcf3ef-a2b9-435b-b9e5-f32902a33b25.xml" beforeDir="false" afterPath="$PROJECT_DIR$/.idea/dataSources/74bcf3ef-a2b9-435b-b9e5-f32902a33b25.xml" afterDir="false" />
       <change beforePath="$PROJECT_DIR$/.idea/workspace.xml" beforeDir="false" afterPath="$PROJECT_DIR$/.idea/workspace.xml" afterDir="false" />
       <change beforePath="$PROJECT_DIR$/pkg/grpc/auth.go" beforeDir="false" afterPath="$PROJECT_DIR$/pkg/grpc/auth.go" afterDir="false" />
-      <change beforePath="$PROJECT_DIR$/pkg/grpc/proto/auth.pb.go" beforeDir="false" afterPath="$PROJECT_DIR$/pkg/grpc/proto/auth.pb.go" afterDir="false" />
-      <change beforePath="$PROJECT_DIR$/pkg/grpc/proto/auth.proto" beforeDir="false" afterPath="$PROJECT_DIR$/pkg/grpc/proto/auth.proto" afterDir="false" />
-      <change beforePath="$PROJECT_DIR$/pkg/grpc/proto/auth_grpc.pb.go" beforeDir="false" afterPath="$PROJECT_DIR$/pkg/grpc/proto/auth_grpc.pb.go" afterDir="false" />
-      <change beforePath="$PROJECT_DIR$/pkg/server/auth_middleware.go" beforeDir="false" afterPath="$PROJECT_DIR$/pkg/server/auth_middleware.go" afterDir="false" />
       <change beforePath="$PROJECT_DIR$/pkg/services/auth.go" beforeDir="false" afterPath="$PROJECT_DIR$/pkg/services/auth.go" afterDir="false" />
     </list>
     <option name="SHOW_DIALOG" value="false" />
@@ -49,7 +46,7 @@
   <component name="PropertiesComponent"><![CDATA[{
   "keyToString": {
     "DefaultGoTemplateProperty": "Go File",
-    "Go 构建.Backend.executor": "Run",
+    "Go 构建.Backend.executor": "Debug",
     "RunOnceActivity.ShowReadmeOnStart": "true",
     "RunOnceActivity.go.formatter.settings.were.checked": "true",
     "RunOnceActivity.go.migrated.go.modules.settings": "true",
@@ -144,7 +141,6 @@
     </option>
   </component>
   <component name="VcsManagerConfiguration">
-    <MESSAGE value=":truck: Update well known" />
     <MESSAGE value=":sparkles: Others userinfo" />
     <MESSAGE value=":lipstick: Fix ui design" />
     <MESSAGE value=":bug: Bug fixes of design" />
@@ -169,7 +165,8 @@
     <MESSAGE value=":sparkles: Permission check" />
     <MESSAGE value=":zap: In memory auth context cache" />
     <MESSAGE value=":sparkles: Bug fixes of permission check" />
-    <option name="LAST_COMMIT_MESSAGE" value=":sparkles: Bug fixes of permission check" />
+    <MESSAGE value=":sparkles: Check permissions GRPC method" />
+    <option name="LAST_COMMIT_MESSAGE" value=":sparkles: Check permissions GRPC method" />
   </component>
   <component name="VgoProject">
     <settings-migrated>true</settings-migrated>
diff --git a/pkg/grpc/auth.go b/pkg/grpc/auth.go
index ad8e536..f570141 100644
--- a/pkg/grpc/auth.go
+++ b/pkg/grpc/auth.go
@@ -48,9 +48,13 @@ func (v *Server) CheckPerm(_ context.Context, in *proto.CheckPermRequest) (*prot
 		return nil, err
 	}
 
+	var heldPerms map[string]any
+	rawHeldPerms, _ := jsoniter.Marshal(ctx.Account.PermNodes)
+	_ = jsoniter.Unmarshal(rawHeldPerms, &heldPerms)
+
 	var value any
 	_ = jsoniter.Unmarshal(in.GetValue(), &value)
-	perms := services.FilterPermNodes(ctx.Account.PermNodes, ctx.Ticket.Claims)
+	perms := services.FilterPermNodes(heldPerms, ctx.Ticket.Claims)
 	valid := services.HasPermNode(perms, in.GetKey(), value)
 
 	return &proto.CheckPermReply{
diff --git a/pkg/services/auth.go b/pkg/services/auth.go
index 0e1141b..f85967b 100644
--- a/pkg/services/auth.go
+++ b/pkg/services/auth.go
@@ -2,6 +2,7 @@ package services
 
 import (
 	"fmt"
+	jsoniter "github.com/json-iterator/go"
 	"time"
 
 	"git.solsynth.dev/hydrogen/passport/pkg/models"
@@ -30,7 +31,11 @@ func Authenticate(access, refresh string, depth int) (ctx models.AuthContext, pe
 	newRefresh = refresh
 
 	if ctx, err = GetAuthContext(claims.ID); err == nil {
-		perms = FilterPermNodes(ctx.Account.PermNodes, ctx.Ticket.Claims)
+		var heldPerms map[string]any
+		rawHeldPerms, _ := jsoniter.Marshal(ctx.Account.PermNodes)
+		_ = jsoniter.Unmarshal(rawHeldPerms, &heldPerms)
+
+		perms = FilterPermNodes(heldPerms, ctx.Ticket.Claims)
 		return
 	}
 
