diff --git a/datasette/templates/create_token.html b/datasette/templates/create_token.html
index a39d6ecb..2be98d38 100644
--- a/datasette/templates/create_token.html
+++ b/datasette/templates/create_token.html
@@ -66,7 +66,7 @@
       <h2>All tables in "{{ database.name }}"</h2>
       <ul>
         {% for permission in database_permissions %}
-          <li><label><input type="checkbox" name="db:{{ database.encoded }}:{{ permission }}"> {{ permission }}</label></li>
+          <li><label><input type="checkbox" name="database:{{ database.encoded }}:{{ permission }}"> {{ permission }}</label></li>
         {% endfor %}
       </ul>
     {% endfor %}
diff --git a/tests/test_auth.py b/tests/test_auth.py
index 8d74b003..76b13c1e 100644
--- a/tests/test_auth.py
+++ b/tests/test_auth.py
@@ -115,44 +115,46 @@ def test_no_logout_button_in_navigation_if_no_ds_actor_cookie(app_client, path):
 
 
 @pytest.mark.parametrize(
-    "post_data,errors,expected_duration",
+    "post_data,errors,expected_duration,expected_r",
     (
-        ({"expire_type": ""}, [], None),
-        ({"expire_type": "x"}, ["Invalid expire duration"], None),
-        ({"expire_type": "minutes"}, ["Invalid expire duration"], None),
+        ({"expire_type": ""}, [], None, None),
+        ({"expire_type": "x"}, ["Invalid expire duration"], None, None),
+        ({"expire_type": "minutes"}, ["Invalid expire duration"], None, None),
         (
             {"expire_type": "minutes", "expire_duration": "x"},
             ["Invalid expire duration"],
             None,
+            None,
         ),
         (
             {"expire_type": "minutes", "expire_duration": "-1"},
             ["Invalid expire duration"],
             None,
+            None,
         ),
         (
             {"expire_type": "minutes", "expire_duration": "0"},
             ["Invalid expire duration"],
             None,
+            None,
         ),
+        ({"expire_type": "minutes", "expire_duration": "10"}, [], 600, None),
+        ({"expire_type": "hours", "expire_duration": "10"}, [], 10 * 60 * 60, None),
+        ({"expire_type": "days", "expire_duration": "3"}, [], 60 * 60 * 24 * 3, None),
+        # Token restrictions
+        ({"all:view-instance": "on"}, [], None, {"a": ["vi"]}),
+        ({"database:fixtures:view-query": "on"}, [], None, {"d": {"fixtures": ["vq"]}}),
         (
-            {"expire_type": "minutes", "expire_duration": "10"},
+            {"resource:fixtures:facetable:insert-row": "on"},
             [],
-            600,
-        ),
-        (
-            {"expire_type": "hours", "expire_duration": "10"},
-            [],
-            10 * 60 * 60,
-        ),
-        (
-            {"expire_type": "days", "expire_duration": "3"},
-            [],
-            60 * 60 * 24 * 3,
+            None,
+            {"r": {"fixtures": {"facetable": ["ir"]}}},
         ),
     ),
 )
-def test_auth_create_token(app_client, post_data, errors, expected_duration):
+def test_auth_create_token(
+    app_client, post_data, errors, expected_duration, expected_r
+):
     assert app_client.get("/-/create-token").status == 403
     ds_actor = app_client.actor_cookie({"id": "test"})
     response = app_client.get("/-/create-token", cookies={"ds_actor": ds_actor})
@@ -173,6 +175,9 @@ def test_auth_create_token(app_client, post_data, errors, expected_duration):
         # Extract token from page
         token = response2.text.split('value="dstok_')[1].split('"')[0]
         details = app_client.ds.unsign(token, "token")
+        if expected_r:
+            r = details.pop("_r")
+            assert r == expected_r
         assert details.keys() == {"a", "t", "d"} or details.keys() == {"a", "t"}
         assert details["a"] == "test"
         if expected_duration is None: