diff --git a/client/tests/integration/smartcontracts/executor_with_custom_token/src/lib.rs b/client/tests/integration/smartcontracts/executor_with_custom_token/src/lib.rs
index 512ff5894b5..e4c24d0503d 100644
--- a/client/tests/integration/smartcontracts/executor_with_custom_token/src/lib.rs
+++ b/client/tests/integration/smartcontracts/executor_with_custom_token/src/lib.rs
@@ -3,9 +3,9 @@
 //!
 //! This executor should be applied on top of the blockchain with default validation.
 //!
-//! It also doesn't have [`iroha_executor::default::domain::tokens::CanUnregisterDomain`].
+//! It also doesn't have [`iroha_executor::default::tokens::domain::CanUnregisterDomain`].
 //!
-//! In migration it replaces [`iroha_executor::default::domain::tokens::CanUnregisterDomain`]
+//! In migration it replaces [`iroha_executor::default::tokens::domain::CanUnregisterDomain`]
 //! with [`token::CanControlDomainLives`] for all accounts.
 //! So it doesn't matter which domain user was able to unregister before migration, they will
 //! get access to control all domains. Remember that this is just a test example.
@@ -108,7 +108,7 @@ impl Executor {
                 })?;
 
                 if let Ok(can_unregister_domain_token) =
-                    iroha_executor::default::domain::tokens::CanUnregisterDomain::try_from(token)
+                    iroha_executor::default::tokens::domain::CanUnregisterDomain::try_from(token)
                 {
                     found_accounts.push((account, can_unregister_domain_token.domain_id));
                     break;
@@ -121,7 +121,7 @@ impl Executor {
 
     fn replace_token(accounts: &[(Account, DomainId)]) -> MigrationResult {
         let can_unregister_domain_definition_id = PermissionTokenId::try_from(
-            iroha_executor::default::domain::tokens::CanUnregisterDomain::type_name(),
+            iroha_executor::default::tokens::domain::CanUnregisterDomain::type_name(),
         )
         .unwrap();
 
@@ -304,7 +304,7 @@ pub fn migrate(_block_height: u64) -> MigrationResult {
     let accounts = Executor::get_all_accounts_with_can_unregister_domain_permission()?;
 
     let mut schema = default_permission_token_schema();
-    schema.remove::<iroha_executor::default::domain::tokens::CanUnregisterDomain>();
+    schema.remove::<iroha_executor::default::tokens::domain::CanUnregisterDomain>();
     schema.insert::<token::CanControlDomainLives>();
 
     let (token_ids, schema_str) = schema.serialize();
diff --git a/configs/peer/executor.wasm b/configs/peer/executor.wasm
index 0fd50270443..91864b0ee31 100644
Binary files a/configs/peer/executor.wasm and b/configs/peer/executor.wasm differ
diff --git a/smart_contract/executor/src/default.rs b/smart_contract/executor/src/default.rs
index c9661089997..38327a7bb11 100644
--- a/smart_contract/executor/src/default.rs
+++ b/smart_contract/executor/src/default.rs
@@ -1,7 +1,9 @@
 //! Definition of Iroha default executor and accompanying validation functions
 #![allow(missing_docs, clippy::missing_errors_doc)]
 
-use alloc::{borrow::ToOwned, format, string::String};
+pub mod tokens;
+
+use alloc::format;
 
 pub use account::{
     visit_burn_account_public_key, visit_mint_account_public_key,
@@ -21,6 +23,7 @@ pub use domain::{
     visit_unregister_domain,
 };
 pub use executor::visit_upgrade_executor;
+use iroha_smart_contract::debug::DebugExpectExt as _;
 pub use parameter::{visit_new_parameter, visit_set_parameter};
 pub use peer::visit_unregister_peer;
 pub use permission_token::{visit_grant_account_permission, visit_revoke_account_permission};
@@ -38,7 +41,7 @@ macro_rules! evaluate_expr {
     ($visitor:ident, $authority:ident, <$isi:ident as $isi_type:ty>::$field:ident()) => {{
         $visitor.visit_expression($authority, $isi.$field());
 
-        $visitor.evaluate($isi.$field()).expect(&alloc::format!(
+        $visitor.evaluate($isi.$field()).dbg_expect(&alloc::format!(
             "Failed to evaluate field '{}::{}'",
             stringify!($isi_type),
             stringify!($field),
@@ -46,40 +49,6 @@ macro_rules! evaluate_expr {
     }};
 }
 
-/// Apply `callback` macro for all token types from this crate.
-///
-/// Callback technique is used because of macro expansion order. With that technique we can
-/// apply callback to token types declared in other modules.
-///
-/// # WARNING !!!
-///
-/// If you add new module with tokens don't forget to add it here!
-macro_rules! map_all_crate_tokens {
-    ($callback:ident) => {
-        $crate::default::account::map_tokens!($callback);
-        $crate::default::asset::map_tokens!($callback);
-        $crate::default::asset_definition::map_tokens!($callback);
-        $crate::default::domain::map_tokens!($callback);
-        $crate::default::parameter::map_tokens!($callback);
-        $crate::default::peer::map_tokens!($callback);
-        $crate::default::role::map_tokens!($callback);
-        $crate::default::trigger::map_tokens!($callback);
-        $crate::default::executor::map_tokens!($callback);
-    };
-}
-
-macro_rules! token {
-    ($($meta:meta)* $item:item) => {
-        #[derive(PartialEq, Eq, serde::Serialize, serde::Deserialize)]
-        #[derive(iroha_schema::IntoSchema)]
-        #[derive(Clone, Token)]
-        $($meta)*
-        $item
-    };
-}
-
-pub(crate) use map_all_crate_tokens;
-
 pub fn default_permission_token_schema() -> PermissionTokenSchema {
     let mut schema = iroha_executor::PermissionTokenSchema::default();
 
@@ -89,7 +58,7 @@ pub fn default_permission_token_schema() -> PermissionTokenSchema {
         };
     }
 
-    iroha_executor::default::map_all_crate_tokens!(add_to_schema);
+    tokens::map_token_type!(add_to_schema);
 
     schema
 }
@@ -324,20 +293,6 @@ pub fn visit_sequence<V: Validate + ?Sized>(
 pub mod peer {
     use super::*;
 
-    declare_tokens! {
-        crate::default::peer::tokens::CanUnregisterAnyPeer,
-    }
-
-    pub mod tokens {
-        use super::*;
-
-        token! {
-            #[derive(Copy, ValidateGrantRevoke)]
-            #[validate(permission::OnlyGenesis)]
-            pub struct CanUnregisterAnyPeer;
-        }
-    }
-
     #[allow(clippy::needless_pass_by_value)]
     pub fn visit_unregister_peer<V: Validate + ?Sized>(
         executor: &mut V,
@@ -347,7 +302,7 @@ pub mod peer {
         if is_genesis(executor) {
             pass!(executor);
         }
-        if tokens::CanUnregisterAnyPeer.is_owned_by(authority) {
+        if tokens::peer::CanUnregisterAnyPeer.is_owned_by(authority) {
             pass!(executor);
         }
 
@@ -360,41 +315,6 @@ pub mod domain {
 
     use super::*;
 
-    declare_tokens! {
-        crate::default::domain::tokens::CanUnregisterDomain,
-        crate::default::domain::tokens::CanSetKeyValueInDomain,
-        crate::default::domain::tokens::CanRemoveKeyValueInDomain,
-    }
-
-    pub mod tokens {
-        // TODO: We probably need a better way to allow accounts to modify domains.
-        use super::*;
-
-        token! {
-            #[derive(ValidateGrantRevoke, permission::derive_conversions::domain::Owner)]
-            #[validate(permission::domain::Owner)]
-            pub struct CanUnregisterDomain {
-                pub domain_id: DomainId,
-            }
-        }
-
-        token! {
-            #[derive(ValidateGrantRevoke, permission::derive_conversions::domain::Owner)]
-            #[validate(permission::domain::Owner)]
-            pub struct CanSetKeyValueInDomain {
-                pub domain_id: DomainId,
-            }
-        }
-
-        token! {
-            #[derive(ValidateGrantRevoke, permission::derive_conversions::domain::Owner)]
-            #[validate(permission::domain::Owner)]
-            pub struct CanRemoveKeyValueInDomain {
-                pub domain_id: DomainId,
-            }
-        }
-    }
-
     pub fn visit_unregister_domain<V: Validate + ?Sized>(
         executor: &mut V,
         authority: &AccountId,
@@ -410,7 +330,7 @@ pub mod domain {
             Ok(true) => pass!(executor),
             Ok(false) => {}
         }
-        let can_unregister_domain_token = tokens::CanUnregisterDomain { domain_id };
+        let can_unregister_domain_token = tokens::domain::CanUnregisterDomain { domain_id };
         if can_unregister_domain_token.is_owned_by(authority) {
             pass!(executor);
         }
@@ -452,7 +372,8 @@ pub mod domain {
             Ok(true) => pass!(executor),
             Ok(false) => {}
         }
-        let can_set_key_value_in_domain_token = tokens::CanSetKeyValueInDomain { domain_id };
+        let can_set_key_value_in_domain_token =
+            tokens::domain::CanSetKeyValueInDomain { domain_id };
         if can_set_key_value_in_domain_token.is_owned_by(authority) {
             pass!(executor);
         }
@@ -475,7 +396,8 @@ pub mod domain {
             Ok(true) => pass!(executor),
             Ok(false) => {}
         }
-        let can_remove_key_value_in_domain_token = tokens::CanRemoveKeyValueInDomain { domain_id };
+        let can_remove_key_value_in_domain_token =
+            tokens::domain::CanRemoveKeyValueInDomain { domain_id };
         if can_remove_key_value_in_domain_token.is_owned_by(authority) {
             pass!(executor);
         }
@@ -489,62 +411,6 @@ pub mod account {
 
     use super::*;
 
-    declare_tokens! {
-        crate::default::account::tokens::CanUnregisterAccount,
-        crate::default::account::tokens::CanMintUserPublicKeys,
-        crate::default::account::tokens::CanBurnUserPublicKeys,
-        crate::default::account::tokens::CanMintUserSignatureCheckConditions,
-        crate::default::account::tokens::CanSetKeyValueInUserAccount,
-        crate::default::account::tokens::CanRemoveKeyValueInUserAccount,
-    }
-
-    pub mod tokens {
-        use super::*;
-
-        token! {
-            #[derive(ValidateGrantRevoke, permission::derive_conversions::account::Owner)]
-            #[validate(permission::account::Owner)]
-            pub struct CanUnregisterAccount {
-                pub account_id: AccountId,
-            }
-        }
-        token! {
-            #[derive(ValidateGrantRevoke, permission::derive_conversions::account::Owner)]
-            #[validate(permission::account::Owner)]
-            pub struct CanMintUserPublicKeys {
-                pub account_id: AccountId,
-            }
-        }
-        token! {
-            #[derive(ValidateGrantRevoke, permission::derive_conversions::account::Owner)]
-            #[validate(permission::account::Owner)]
-            pub struct CanBurnUserPublicKeys {
-                pub account_id: AccountId,
-            }
-        }
-        token! {
-            #[derive(ValidateGrantRevoke, permission::derive_conversions::account::Owner)]
-            #[validate(permission::account::Owner)]
-            pub struct CanMintUserSignatureCheckConditions {
-                pub account_id: AccountId,
-            }
-        }
-        token! {
-            #[derive(ValidateGrantRevoke, permission::derive_conversions::account::Owner)]
-            #[validate(permission::account::Owner)]
-            pub struct CanSetKeyValueInUserAccount {
-                pub account_id: AccountId,
-            }
-        }
-        token! {
-            #[derive(ValidateGrantRevoke, permission::derive_conversions::account::Owner)]
-            #[validate(permission::account::Owner)]
-            pub struct CanRemoveKeyValueInUserAccount {
-                pub account_id: AccountId,
-            }
-        }
-    }
-
     pub fn visit_unregister_account<V: Validate + ?Sized>(
         executor: &mut V,
         authority: &AccountId,
@@ -560,7 +426,7 @@ pub mod account {
             Ok(true) => pass!(executor),
             Ok(false) => {}
         }
-        let can_unregister_user_account = tokens::CanUnregisterAccount { account_id };
+        let can_unregister_user_account = tokens::account::CanUnregisterAccount { account_id };
         if can_unregister_user_account.is_owned_by(authority) {
             pass!(executor);
         }
@@ -583,7 +449,7 @@ pub mod account {
             Ok(true) => pass!(executor),
             Ok(false) => {}
         }
-        let can_mint_user_public_keys = tokens::CanMintUserPublicKeys { account_id };
+        let can_mint_user_public_keys = tokens::account::CanMintUserPublicKeys { account_id };
         if can_mint_user_public_keys.is_owned_by(authority) {
             pass!(executor);
         }
@@ -606,7 +472,7 @@ pub mod account {
             Ok(true) => pass!(executor),
             Ok(false) => {}
         }
-        let can_burn_user_public_keys = tokens::CanBurnUserPublicKeys { account_id };
+        let can_burn_user_public_keys = tokens::account::CanBurnUserPublicKeys { account_id };
         if can_burn_user_public_keys.is_owned_by(authority) {
             pass!(executor);
         }
@@ -630,7 +496,7 @@ pub mod account {
             Ok(false) => {}
         }
         let can_mint_user_signature_check_conditions_token =
-            tokens::CanMintUserSignatureCheckConditions { account_id };
+            tokens::account::CanMintUserSignatureCheckConditions { account_id };
         if can_mint_user_signature_check_conditions_token.is_owned_by(authority) {
             pass!(executor);
         }
@@ -657,7 +523,7 @@ pub mod account {
             Ok(false) => {}
         }
         let can_set_key_value_in_user_account_token =
-            tokens::CanSetKeyValueInUserAccount { account_id };
+            tokens::account::CanSetKeyValueInUserAccount { account_id };
         if can_set_key_value_in_user_account_token.is_owned_by(authority) {
             pass!(executor);
         }
@@ -684,7 +550,7 @@ pub mod account {
             Ok(false) => {}
         }
         let can_remove_key_value_in_user_account_token =
-            tokens::CanRemoveKeyValueInUserAccount { account_id };
+            tokens::account::CanRemoveKeyValueInUserAccount { account_id };
         if can_remove_key_value_in_user_account_token.is_owned_by(authority) {
             pass!(executor);
         }
@@ -701,40 +567,6 @@ pub mod asset_definition {
 
     use super::*;
 
-    declare_tokens! {
-        crate::default::asset_definition::tokens::CanUnregisterAssetDefinition,
-        crate::default::asset_definition::tokens::CanSetKeyValueInAssetDefinition,
-        crate::default::asset_definition::tokens::CanRemoveKeyValueInAssetDefinition,
-    }
-
-    pub mod tokens {
-        use super::*;
-
-        token! {
-            #[derive(ValidateGrantRevoke, permission::derive_conversions::asset_definition::Owner)]
-            #[validate(permission::asset_definition::Owner)]
-            pub struct CanUnregisterAssetDefinition {
-                pub asset_definition_id: AssetDefinitionId,
-            }
-        }
-
-        token! {
-            #[derive(ValidateGrantRevoke, permission::derive_conversions::asset_definition::Owner)]
-            #[validate(permission::asset_definition::Owner)]
-            pub struct CanSetKeyValueInAssetDefinition {
-                pub asset_definition_id: AssetDefinitionId,
-            }
-        }
-
-        token! {
-            #[derive(ValidateGrantRevoke, permission::derive_conversions::asset_definition::Owner)]
-            #[validate(permission::asset_definition::Owner)]
-            pub struct CanRemoveKeyValueInAssetDefinition {
-                pub asset_definition_id: AssetDefinitionId,
-            }
-        }
-    }
-
     pub fn visit_unregister_asset_definition<V: Validate + ?Sized>(
         executor: &mut V,
         authority: &AccountId,
@@ -750,9 +582,10 @@ pub mod asset_definition {
             Ok(true) => pass!(executor),
             Ok(false) => {}
         }
-        let can_unregister_asset_definition_token = tokens::CanUnregisterAssetDefinition {
-            asset_definition_id,
-        };
+        let can_unregister_asset_definition_token =
+            tokens::asset_definition::CanUnregisterAssetDefinition {
+                asset_definition_id,
+            };
         if can_unregister_asset_definition_token.is_owned_by(authority) {
             pass!(executor);
         }
@@ -806,9 +639,10 @@ pub mod asset_definition {
             Ok(true) => pass!(executor),
             Ok(false) => {}
         }
-        let can_set_key_value_in_asset_definition_token = tokens::CanSetKeyValueInAssetDefinition {
-            asset_definition_id,
-        };
+        let can_set_key_value_in_asset_definition_token =
+            tokens::asset_definition::CanSetKeyValueInAssetDefinition {
+                asset_definition_id,
+            };
         if can_set_key_value_in_asset_definition_token.is_owned_by(authority) {
             pass!(executor);
         }
@@ -835,7 +669,7 @@ pub mod asset_definition {
             Ok(false) => {}
         }
         let can_remove_key_value_in_asset_definition_token =
-            tokens::CanRemoveKeyValueInAssetDefinition {
+            tokens::asset_definition::CanRemoveKeyValueInAssetDefinition {
                 asset_definition_id,
             };
         if can_remove_key_value_in_asset_definition_token.is_owned_by(authority) {
@@ -854,103 +688,6 @@ pub mod asset {
 
     use super::*;
 
-    declare_tokens! {
-        crate::default::asset::tokens::CanRegisterAssetsWithDefinition,
-        crate::default::asset::tokens::CanUnregisterAssetsWithDefinition,
-        crate::default::asset::tokens::CanUnregisterUserAsset,
-        crate::default::asset::tokens::CanBurnAssetsWithDefinition,
-        crate::default::asset::tokens::CanBurnUserAsset,
-        crate::default::asset::tokens::CanMintAssetsWithDefinition,
-        crate::default::asset::tokens::CanTransferAssetsWithDefinition,
-        crate::default::asset::tokens::CanTransferUserAsset,
-        crate::default::asset::tokens::CanSetKeyValueInUserAsset,
-        crate::default::asset::tokens::CanRemoveKeyValueInUserAsset,
-    }
-
-    pub mod tokens {
-        use super::*;
-
-        token! {
-            #[derive(ValidateGrantRevoke, permission::derive_conversions::asset_definition::Owner)]
-            #[validate(permission::asset_definition::Owner)]
-            pub struct CanRegisterAssetsWithDefinition {
-                pub asset_definition_id: AssetDefinitionId,
-            }
-        }
-
-        token! {
-            #[derive(ValidateGrantRevoke, permission::derive_conversions::asset_definition::Owner)]
-            #[validate(permission::asset_definition::Owner)]
-            pub struct CanUnregisterAssetsWithDefinition {
-                pub asset_definition_id: AssetDefinitionId,
-            }
-        }
-
-        token! {
-            #[derive(ValidateGrantRevoke, permission::derive_conversions::asset::Owner)]
-            #[validate(permission::asset::Owner)]
-            pub struct CanUnregisterUserAsset {
-                pub asset_id: AssetId,
-            }
-        }
-
-        token! {
-            #[derive(ValidateGrantRevoke, permission::derive_conversions::asset_definition::Owner)]
-            #[validate(permission::asset_definition::Owner)]
-            pub struct CanBurnAssetsWithDefinition {
-                pub asset_definition_id: AssetDefinitionId,
-            }
-        }
-
-        token! {
-            #[derive(ValidateGrantRevoke, permission::derive_conversions::asset::Owner)]
-            #[validate(permission::asset::Owner)]
-            pub struct CanBurnUserAsset {
-                pub asset_id: AssetId,
-            }
-        }
-
-        token! {
-            #[derive(ValidateGrantRevoke, permission::derive_conversions::asset_definition::Owner)]
-            #[validate(permission::asset_definition::Owner)]
-            pub struct CanMintAssetsWithDefinition {
-                pub asset_definition_id: AssetDefinitionId,
-            }
-        }
-
-        token! {
-            #[derive(ValidateGrantRevoke, permission::derive_conversions::asset_definition::Owner)]
-            #[validate(permission::asset_definition::Owner)]
-            pub struct CanTransferAssetsWithDefinition {
-                pub asset_definition_id: AssetDefinitionId,
-            }
-        }
-
-        token! {
-            #[derive(ValidateGrantRevoke, permission::derive_conversions::asset::Owner)]
-            #[validate(permission::asset::Owner)]
-            pub struct CanTransferUserAsset {
-                pub asset_id: AssetId,
-            }
-        }
-
-        token! {
-            #[derive(ValidateGrantRevoke, permission::derive_conversions::asset::Owner)]
-            #[validate(permission::asset::Owner)]
-            pub struct CanSetKeyValueInUserAsset {
-                pub asset_id: AssetId,
-            }
-        }
-
-        token! {
-            #[derive(ValidateGrantRevoke, permission::derive_conversions::asset::Owner)]
-            #[validate(permission::asset::Owner)]
-            pub struct CanRemoveKeyValueInUserAsset {
-                pub asset_id: AssetId,
-            }
-        }
-    }
-
     pub fn visit_register_asset<V: Validate + ?Sized>(
         executor: &mut V,
         authority: &AccountId,
@@ -966,9 +703,10 @@ pub mod asset {
             Ok(true) => pass!(executor),
             Ok(false) => {}
         }
-        let can_register_assets_with_definition_token = tokens::CanRegisterAssetsWithDefinition {
-            asset_definition_id: asset.id().definition_id().clone(),
-        };
+        let can_register_assets_with_definition_token =
+            tokens::asset::CanRegisterAssetsWithDefinition {
+                asset_definition_id: asset.id().definition_id().clone(),
+            };
         if can_register_assets_with_definition_token.is_owned_by(authority) {
             pass!(executor);
         }
@@ -1000,13 +738,13 @@ pub mod asset {
             Ok(false) => {}
         }
         let can_unregister_assets_with_definition_token =
-            tokens::CanUnregisterAssetsWithDefinition {
+            tokens::asset::CanUnregisterAssetsWithDefinition {
                 asset_definition_id: asset_id.definition_id().clone(),
             };
         if can_unregister_assets_with_definition_token.is_owned_by(authority) {
             pass!(executor);
         }
-        let can_unregister_user_asset_token = tokens::CanUnregisterUserAsset { asset_id };
+        let can_unregister_user_asset_token = tokens::asset::CanUnregisterUserAsset { asset_id };
         if can_unregister_user_asset_token.is_owned_by(authority) {
             pass!(executor);
         }
@@ -1029,7 +767,7 @@ pub mod asset {
             Ok(true) => pass!(executor),
             Ok(false) => {}
         }
-        let can_mint_assets_with_definition_token = tokens::CanMintAssetsWithDefinition {
+        let can_mint_assets_with_definition_token = tokens::asset::CanMintAssetsWithDefinition {
             asset_definition_id: asset_id.definition_id().clone(),
         };
         if can_mint_assets_with_definition_token.is_owned_by(authority) {
@@ -1062,13 +800,13 @@ pub mod asset {
             Ok(true) => pass!(executor),
             Ok(false) => {}
         }
-        let can_burn_assets_with_definition_token = tokens::CanBurnAssetsWithDefinition {
+        let can_burn_assets_with_definition_token = tokens::asset::CanBurnAssetsWithDefinition {
             asset_definition_id: asset_id.definition_id().clone(),
         };
         if can_burn_assets_with_definition_token.is_owned_by(authority) {
             pass!(executor);
         }
-        let can_burn_user_asset_token = tokens::CanBurnUserAsset { asset_id };
+        let can_burn_user_asset_token = tokens::asset::CanBurnUserAsset { asset_id };
         if can_burn_user_asset_token.is_owned_by(authority) {
             pass!(executor);
         }
@@ -1096,13 +834,14 @@ pub mod asset {
             Ok(true) => pass!(executor),
             Ok(false) => {}
         }
-        let can_transfer_assets_with_definition_token = tokens::CanTransferAssetsWithDefinition {
-            asset_definition_id: asset_id.definition_id().clone(),
-        };
+        let can_transfer_assets_with_definition_token =
+            tokens::asset::CanTransferAssetsWithDefinition {
+                asset_definition_id: asset_id.definition_id().clone(),
+            };
         if can_transfer_assets_with_definition_token.is_owned_by(authority) {
             pass!(executor);
         }
-        let can_transfer_user_asset_token = tokens::CanTransferUserAsset { asset_id };
+        let can_transfer_user_asset_token = tokens::asset::CanTransferUserAsset { asset_id };
         if can_transfer_user_asset_token.is_owned_by(authority) {
             pass!(executor);
         }
@@ -1126,7 +865,8 @@ pub mod asset {
             Ok(false) => {}
         }
 
-        let can_set_key_value_in_user_asset_token = tokens::CanSetKeyValueInUserAsset { asset_id };
+        let can_set_key_value_in_user_asset_token =
+            tokens::asset::CanSetKeyValueInUserAsset { asset_id };
         if can_set_key_value_in_user_asset_token.is_owned_by(authority) {
             pass!(executor);
         }
@@ -1153,7 +893,7 @@ pub mod asset {
             Ok(false) => {}
         }
         let can_remove_key_value_in_user_asset_token =
-            tokens::CanRemoveKeyValueInUserAsset { asset_id };
+            tokens::asset::CanRemoveKeyValueInUserAsset { asset_id };
         if can_remove_key_value_in_user_asset_token.is_owned_by(authority) {
             pass!(executor);
         }
@@ -1166,105 +906,8 @@ pub mod asset {
 }
 
 pub mod parameter {
-    use permission::ValidateGrantRevoke;
-
     use super::*;
 
-    declare_tokens!(
-        crate::default::parameter::tokens::CanGrantPermissionToCreateParameters,
-        crate::default::parameter::tokens::CanRevokePermissionToCreateParameters,
-        crate::default::parameter::tokens::CanCreateParameters,
-        crate::default::parameter::tokens::CanGrantPermissionToSetParameters,
-        crate::default::parameter::tokens::CanRevokePermissionToSetParameters,
-        crate::default::parameter::tokens::CanSetParameters,
-    );
-
-    pub mod tokens {
-        use super::*;
-
-        token! {
-            #[derive(Copy, ValidateGrantRevoke)]
-            #[validate(permission::OnlyGenesis)]
-            pub struct CanGrantPermissionToCreateParameters;
-        }
-
-        token! {
-            #[derive(Copy, ValidateGrantRevoke)]
-            #[validate(permission::OnlyGenesis)]
-            pub struct CanRevokePermissionToCreateParameters;
-        }
-
-        token! {
-            #[derive(Copy)]
-            pub struct CanCreateParameters;
-        }
-
-        impl ValidateGrantRevoke for CanCreateParameters {
-            fn validate_grant(&self, authority: &AccountId, _block_height: u64) -> Result {
-                if CanGrantPermissionToCreateParameters.is_owned_by(authority) {
-                    return Ok(());
-                }
-
-                Err(ValidationFail::NotPermitted(
-                        "Can't grant permission to create new configuration parameters outside genesis without permission from genesis"
-                            .to_owned()
-                    ))
-            }
-
-            fn validate_revoke(&self, authority: &AccountId, _block_height: u64) -> Result {
-                if CanGrantPermissionToCreateParameters.is_owned_by(authority) {
-                    return Ok(());
-                }
-
-                Err(ValidationFail::NotPermitted(
-                        "Can't revoke permission to create new configuration parameters outside genesis without permission from genesis"
-                            .to_owned()
-                    ))
-            }
-        }
-
-        token! {
-            #[derive(Copy, ValidateGrantRevoke)]
-            #[validate(permission::OnlyGenesis)]
-            pub struct CanGrantPermissionToSetParameters;
-        }
-
-        token! {
-            #[derive(Copy, ValidateGrantRevoke)]
-            #[validate(permission::OnlyGenesis)]
-            pub struct CanRevokePermissionToSetParameters;
-        }
-
-        token! {
-            #[derive(Copy)]
-            pub struct CanSetParameters;
-        }
-
-        impl ValidateGrantRevoke for CanSetParameters {
-            fn validate_grant(&self, authority: &AccountId, _block_height: u64) -> Result {
-                if CanGrantPermissionToSetParameters.is_owned_by(authority) {
-                    return Ok(());
-                }
-
-                Err(ValidationFail::NotPermitted(
-                        "Can't grant permission to set configuration parameters outside genesis without permission from genesis"
-                            .to_owned()
-                    ))
-            }
-
-            fn validate_revoke(&self, authority: &AccountId, _block_height: u64) -> Result {
-                if CanRevokePermissionToSetParameters.is_owned_by(authority) {
-                    return Ok(());
-                }
-
-                Err(ValidationFail::NotPermitted(
-                        "Can't revoke permission to set configuration parameters outside genesis without permission from genesis"
-                            .to_owned()
-                    ))
-            }
-        }
-    }
-
     #[allow(clippy::needless_pass_by_value)]
     pub fn visit_new_parameter<V: Validate + ?Sized>(
         executor: &mut V,
@@ -1274,7 +917,7 @@ pub mod parameter {
         if is_genesis(executor) {
             pass!(executor);
         }
-        if tokens::CanCreateParameters.is_owned_by(authority) {
+        if tokens::parameter::CanCreateParameters.is_owned_by(authority) {
             pass!(executor);
         }
 
@@ -1293,7 +936,7 @@ pub mod parameter {
         if is_genesis(executor) {
             pass!(executor);
         }
-        if tokens::CanSetParameters.is_owned_by(authority) {
+        if tokens::parameter::CanSetParameters.is_owned_by(authority) {
             pass!(executor);
         }
 
@@ -1307,20 +950,6 @@ pub mod parameter {
 pub mod role {
     use super::*;
 
-    declare_tokens! {
-        crate::default::role::tokens::CanUnregisterAnyRole,
-    }
-
-    pub mod tokens {
-        use super::*;
-
-        token! {
-            #[derive(Copy, ValidateGrantRevoke)]
-            #[validate(permission::OnlyGenesis)]
-            pub struct CanUnregisterAnyRole;
-        }
-    }
-
     macro_rules! impl_validate {
         ($executor:ident, $isi:ident, $authority:ident, $method:ident) => {
             let role_id = $isi.object;
@@ -1333,39 +962,30 @@ pub mod role {
             };
             let role = Role::try_from(find_role_query_res).unwrap();
 
+            let mut unknown_tokens = Vec::new();
             for token in role.permissions() {
                 macro_rules! visit_internal {
-                    ($token_ty:ty) => {
-                        if let Ok(concrete_token) =
-                            <$token_ty as TryFrom<_>>::try_from(token.clone())
-                        {
-                            if is_genesis($executor) {
-                                continue;
-                            }
-                            if let Err(error) =
-                                <$token_ty as permission::ValidateGrantRevoke>::$method(
-                                    &concrete_token,
+                    ($token:ident) => {
+                        if !is_genesis($executor) {
+                            if let Err(error) = permission::ValidateGrantRevoke::$method(
+                                    &$token,
                                     $authority,
                                     $executor.block_height(),
                                 )
                             {
                                 deny!($executor, error);
                             }
-
-                            // Continue because token can correspond to only one concrete token
-                            continue;
                         }
+
+                        continue;
                     };
                 }
 
-                map_all_crate_tokens!(visit_internal);
-                deny!(
-                    $executor,
-                    "Incorrect executor implementation: Role contains unknown permission tokens"
-                )
+                tokens::map_token!(token => visit_internal);
+                unknown_tokens.push(token);
             }
 
-            pass!($executor);
+            assert!(unknown_tokens.is_empty(), "Role contains unknown permission tokens: {unknown_tokens:?}");
         };
     }
 
@@ -1375,23 +995,20 @@ pub mod role {
         _authority: &AccountId,
         isi: Register<Role>,
     ) {
-        let mut unknown_tokens = Vec::new();
-
         let role = isi.object.inner();
+
+        let mut unknown_tokens = Vec::new();
         for token in role.permissions() {
             iroha_smart_contract::debug!(&format!("Checking `{token:?}`"));
+
             macro_rules! try_from_token {
-                ($token_ty:ty) => {
-                    iroha_smart_contract::debug!(concat!("Trying `", stringify!($token_ty), "`"));
-                    if <$token_ty as TryFrom<_>>::try_from(token.clone()).is_ok() {
-                        iroha_smart_contract::debug!("Success!");
-                        // Continue because token can correspond to only one concrete token
-                        continue;
-                    }
+                ($token:ident) => {
+                    let _token = $token;
+                    continue;
                 };
             }
 
-            map_all_crate_tokens!(try_from_token);
+            tokens::map_token!(token => try_from_token);
             unknown_tokens.push(token);
         }
 
@@ -1416,7 +1033,7 @@ pub mod role {
         if is_genesis(executor) {
             pass!(executor);
         }
-        if tokens::CanUnregisterAnyRole.is_owned_by(authority) {
+        if tokens::role::CanUnregisterAnyRole.is_owned_by(authority) {
             pass!(executor);
         }
 
@@ -1445,68 +1062,6 @@ pub mod trigger {
 
     use super::*;
 
-    macro_rules! impl_froms {
-        ($($name:path),+ $(,)?) => {$(
-            impl<'token> From<&'token $name> for permission::trigger::Owner<'token> {
-                fn from(value: &'token $name) -> Self {
-                    Self {
-                        trigger_id: &value.trigger_id,
-                    }
-                }
-            }
-        )+};
-    }
-
-    declare_tokens! {
-        crate::default::trigger::tokens::CanExecuteUserTrigger,
-        crate::default::trigger::tokens::CanUnregisterUserTrigger,
-        crate::default::trigger::tokens::CanMintUserTrigger,
-        crate::default::trigger::tokens::CanBurnUserTrigger,
-    }
-
-    pub mod tokens {
-        use super::*;
-
-        token! {
-            #[derive(ValidateGrantRevoke)]
-            #[validate(permission::trigger::Owner)]
-            pub struct CanExecuteUserTrigger {
-                pub trigger_id: TriggerId,
-            }
-        }
-
-        token! {
-            #[derive(ValidateGrantRevoke)]
-            #[validate(permission::trigger::Owner)]
-            pub struct CanUnregisterUserTrigger {
-                pub trigger_id: TriggerId,
-            }
-        }
-
-        token! {
-            #[derive(ValidateGrantRevoke)]
-            #[validate(permission::trigger::Owner)]
-            pub struct CanMintUserTrigger {
-                pub trigger_id: TriggerId,
-            }
-        }
-
-        token! {
-            #[derive(ValidateGrantRevoke)]
-            #[validate(permission::trigger::Owner)]
-            pub struct CanBurnUserTrigger {
-                pub trigger_id: TriggerId,
-            }
-        }
-    }
-
-    impl_froms!(
-        tokens::CanExecuteUserTrigger,
-        tokens::CanUnregisterUserTrigger,
-        tokens::CanMintUserTrigger,
-        tokens::CanBurnUserTrigger,
-    );
-
     pub fn visit_unregister_trigger<V: Validate + ?Sized>(
         executor: &mut V,
         authority: &AccountId,
@@ -1522,7 +1077,8 @@ pub mod trigger {
             Ok(true) => pass!(executor),
             Ok(false) => {}
         }
-        let can_unregister_user_trigger_token = tokens::CanUnregisterUserTrigger { trigger_id };
+        let can_unregister_user_trigger_token =
+            tokens::trigger::CanUnregisterUserTrigger { trigger_id };
         if can_unregister_user_trigger_token.is_owned_by(authority) {
             pass!(executor);
         }
@@ -1548,7 +1104,7 @@ pub mod trigger {
             Ok(true) => pass!(executor),
             Ok(false) => {}
         }
-        let can_mint_user_trigger_token = tokens::CanMintUserTrigger { trigger_id };
+        let can_mint_user_trigger_token = tokens::trigger::CanMintUserTrigger { trigger_id };
         if can_mint_user_trigger_token.is_owned_by(authority) {
             pass!(executor);
         }
@@ -1574,7 +1130,7 @@ pub mod trigger {
             Ok(true) => pass!(executor),
             Ok(false) => {}
         }
-        let can_mint_user_trigger_token = tokens::CanMintUserTrigger { trigger_id };
+        let can_mint_user_trigger_token = tokens::trigger::CanBurnUserTrigger { trigger_id };
         if can_mint_user_trigger_token.is_owned_by(authority) {
             pass!(executor);
         }
@@ -1600,7 +1156,7 @@ pub mod trigger {
             Ok(true) => pass!(executor),
             Ok(false) => {}
         }
-        let can_execute_trigger_token = tokens::CanExecuteUserTrigger { trigger_id };
+        let can_execute_trigger_token = tokens::trigger::CanExecuteUserTrigger { trigger_id };
         if can_execute_trigger_token.is_owned_by(authority) {
             pass!(executor);
         }
@@ -1617,25 +1173,23 @@ pub mod permission_token {
             let token = $self.object;
 
             macro_rules! visit_internal {
-                ($token_ty:ty) => {
-                    if let Ok(token) = <$token_ty as TryFrom<_>>::try_from(token.clone()) {
-                        if is_genesis($executor) {
-                            pass!($executor);
-                        }
-                        if let Err(error) = <$token_ty as permission::ValidateGrantRevoke>::$method(
-                            &token,
-                            $authority,
-                            $executor.block_height(),
-                        ) {
-                            deny!($executor, error);
-                        }
-
+                ($token:ident) => {
+                    if is_genesis($executor) {
                         pass!($executor);
                     }
+                    if let Err(error) = permission::ValidateGrantRevoke::$method(
+                        &$token,
+                        $authority,
+                        $executor.block_height(),
+                    ) {
+                        deny!($executor, error);
+                    }
+
+                    pass!($executor);
                 };
             }
 
-            map_all_crate_tokens!(visit_internal);
+            tokens::map_token!(token => visit_internal);
 
             deny!(
                 $executor,
@@ -1664,20 +1218,6 @@ pub mod permission_token {
 pub mod executor {
     use super::*;
 
-    declare_tokens! {
-        crate::default::executor::tokens::CanUpgradeExecutor,
-    }
-
-    pub mod tokens {
-        use super::*;
-
-        token! {
-            #[derive(Copy, ValidateGrantRevoke)]
-            #[validate(permission::OnlyGenesis)]
-            pub struct CanUpgradeExecutor;
-        }
-    }
-
     #[allow(clippy::needless_pass_by_value)]
     pub fn visit_upgrade_executor<V: Validate + ?Sized>(
         executor: &mut V,
@@ -1687,7 +1227,7 @@ pub mod executor {
         if is_genesis(executor) {
             pass!(executor);
         }
-        if tokens::CanUpgradeExecutor.is_owned_by(authority) {
+        if tokens::executor::CanUpgradeExecutor.is_owned_by(authority) {
             pass!(executor);
         }
 
diff --git a/smart_contract/executor/src/default/tokens.rs b/smart_contract/executor/src/default/tokens.rs
new file mode 100644
index 00000000000..df79280ba40
--- /dev/null
+++ b/smart_contract/executor/src/default/tokens.rs
@@ -0,0 +1,470 @@
+//! Definition of Iroha default permission tokens
+#![allow(missing_docs, clippy::missing_errors_doc)]
+
+use alloc::{borrow::ToOwned, format, string::String, vec::Vec};
+
+use iroha_executor_derive::ValidateGrantRevoke;
+use iroha_smart_contract::data_model::{executor::Result, prelude::*};
+
+use crate::permission::{self, Token as _};
+
+/// Declare token types of current module. Use it with a full path to the token.
+/// Used to iterate over tokens to validate `Grant` and `Revoke` instructions.
+///
+///
+/// TODO: Replace with procedural macro. Example:
+/// ```
+/// mod tokens {
+///     use std::borrow::ToOwned;
+///
+///     use iroha_schema::IntoSchema;
+///     use iroha_executor_derive::{Token, ValidateGrantRevoke};
+///     use serde::{Deserialize, Serialize};
+///
+///     #[derive(Clone, PartialEq, Deserialize, Serialize, IntoSchema, Token, ValidateGrantRevoke)]
+///     #[validate(iroha_executor::permission::OnlyGenesis)]
+///     pub struct MyToken;
+/// }
+/// ```
+macro_rules! declare_tokens {
+    ($($($token_path:ident ::)+ { $token_ty:ident }),+ $(,)?) => {
+        macro_rules! map_token {
+            ($token:ident => $callback:ident) => {
+                match $token.definition_id().as_ref() { $(
+                    stringify!($token_ty) => {
+                        if let Ok(token) = <$($token_path::)+$token_ty>::try_from($token.clone()) {
+                            $callback!(token);
+                        }
+                    } )+
+                    _ => {}
+                }
+
+            };
+        }
+
+        macro_rules! map_token_type {
+            ($callback:ident) => { $(
+                $callback!($($token_path::)+$token_ty); )+
+            };
+        }
+
+        pub(crate) use map_token;
+        pub(crate) use map_token_type;
+    };
+}
+
+macro_rules! token {
+    ($($meta:meta)* $item:item) => {
+        #[derive(PartialEq, Eq, serde::Serialize, serde::Deserialize)]
+        #[derive(Clone, iroha_executor_derive::Token)]
+        #[derive(iroha_schema::IntoSchema)]
+        $($meta)*
+        $item
+    };
+}
+
+declare_tokens! {
+    crate::default::tokens::peer::{CanUnregisterAnyPeer},
+
+    crate::default::tokens::domain::{CanUnregisterDomain},
+    crate::default::tokens::domain::{CanSetKeyValueInDomain},
+    crate::default::tokens::domain::{CanRemoveKeyValueInDomain},
+
+    crate::default::tokens::account::{CanUnregisterAccount},
+    crate::default::tokens::account::{CanMintUserPublicKeys},
+    crate::default::tokens::account::{CanBurnUserPublicKeys},
+    crate::default::tokens::account::{CanMintUserSignatureCheckConditions},
+    crate::default::tokens::account::{CanSetKeyValueInUserAccount},
+    crate::default::tokens::account::{CanRemoveKeyValueInUserAccount},
+
+    crate::default::tokens::asset_definition::{CanUnregisterAssetDefinition},
+    crate::default::tokens::asset_definition::{CanSetKeyValueInAssetDefinition},
+    crate::default::tokens::asset_definition::{CanRemoveKeyValueInAssetDefinition},
+
+    crate::default::tokens::asset::{CanRegisterAssetsWithDefinition},
+    crate::default::tokens::asset::{CanUnregisterAssetsWithDefinition},
+    crate::default::tokens::asset::{CanUnregisterUserAsset},
+    crate::default::tokens::asset::{CanBurnAssetsWithDefinition},
+    crate::default::tokens::asset::{CanBurnUserAsset},
+    crate::default::tokens::asset::{CanMintAssetsWithDefinition},
+    crate::default::tokens::asset::{CanTransferAssetsWithDefinition},
+    crate::default::tokens::asset::{CanTransferUserAsset},
+    crate::default::tokens::asset::{CanSetKeyValueInUserAsset},
+    crate::default::tokens::asset::{CanRemoveKeyValueInUserAsset},
+
+    crate::default::tokens::parameter::{CanGrantPermissionToCreateParameters},
+    crate::default::tokens::parameter::{CanRevokePermissionToCreateParameters},
+    crate::default::tokens::parameter::{CanCreateParameters},
+    crate::default::tokens::parameter::{CanGrantPermissionToSetParameters},
+    crate::default::tokens::parameter::{CanRevokePermissionToSetParameters},
+    crate::default::tokens::parameter::{CanSetParameters},
+
+    crate::default::tokens::role::{CanUnregisterAnyRole},
+
+    crate::default::tokens::trigger::{CanExecuteUserTrigger},
+    crate::default::tokens::trigger::{CanUnregisterUserTrigger},
+    crate::default::tokens::trigger::{CanMintUserTrigger},
+    crate::default::tokens::trigger::{CanBurnUserTrigger},
+
+    crate::default::tokens::executor::{CanUpgradeExecutor},
+}
+
+pub mod peer {
+    use super::*;
+
+    token! {
+        #[derive(Copy, ValidateGrantRevoke)]
+        #[validate(permission::OnlyGenesis)]
+        pub struct CanUnregisterAnyPeer;
+    }
+}
+
+pub mod domain {
+    use super::*;
+
+    token! {
+        #[derive(ValidateGrantRevoke, permission::derive_conversions::domain::Owner)]
+        #[validate(permission::domain::Owner)]
+        pub struct CanUnregisterDomain {
+            pub domain_id: DomainId,
+        }
+    }
+
+    token! {
+        #[derive(ValidateGrantRevoke, permission::derive_conversions::domain::Owner)]
+        #[validate(permission::domain::Owner)]
+        pub struct CanSetKeyValueInDomain {
+            pub domain_id: DomainId,
+        }
+    }
+
+    token! {
+        #[derive(ValidateGrantRevoke, permission::derive_conversions::domain::Owner)]
+        #[validate(permission::domain::Owner)]
+        pub struct CanRemoveKeyValueInDomain {
+            pub domain_id: DomainId,
+        }
+    }
+}
+
+pub mod account {
+    use super::*;
+
+    token! {
+        #[derive(ValidateGrantRevoke, permission::derive_conversions::account::Owner)]
+        #[validate(permission::account::Owner)]
+        pub struct CanUnregisterAccount {
+            pub account_id: AccountId,
+        }
+    }
+    token! {
+        #[derive(ValidateGrantRevoke, permission::derive_conversions::account::Owner)]
+        #[validate(permission::account::Owner)]
+        pub struct CanMintUserPublicKeys {
+            pub account_id: AccountId,
+        }
+    }
+    token! {
+        #[derive(ValidateGrantRevoke, permission::derive_conversions::account::Owner)]
+        #[validate(permission::account::Owner)]
+        pub struct CanBurnUserPublicKeys {
+            pub account_id: AccountId,
+        }
+    }
+    token! {
+        #[derive(ValidateGrantRevoke, permission::derive_conversions::account::Owner)]
+        #[validate(permission::account::Owner)]
+        pub struct CanMintUserSignatureCheckConditions {
+            pub account_id: AccountId,
+        }
+    }
+    token! {
+        #[derive(ValidateGrantRevoke, permission::derive_conversions::account::Owner)]
+        #[validate(permission::account::Owner)]
+        pub struct CanSetKeyValueInUserAccount {
+            pub account_id: AccountId,
+        }
+    }
+    token! {
+        #[derive(ValidateGrantRevoke, permission::derive_conversions::account::Owner)]
+        #[validate(permission::account::Owner)]
+        pub struct CanRemoveKeyValueInUserAccount {
+            pub account_id: AccountId,
+        }
+    }
+}
+
+pub mod asset_definition {
+    use super::*;
+
+    token! {
+        #[derive(ValidateGrantRevoke, permission::derive_conversions::asset_definition::Owner)]
+        #[validate(permission::asset_definition::Owner)]
+        pub struct CanUnregisterAssetDefinition {
+            pub asset_definition_id: AssetDefinitionId,
+        }
+    }
+
+    token! {
+        #[derive(ValidateGrantRevoke, permission::derive_conversions::asset_definition::Owner)]
+        #[validate(permission::asset_definition::Owner)]
+        pub struct CanSetKeyValueInAssetDefinition {
+            pub asset_definition_id: AssetDefinitionId,
+        }
+    }
+
+    token! {
+        #[derive(ValidateGrantRevoke, permission::derive_conversions::asset_definition::Owner)]
+        #[validate(permission::asset_definition::Owner)]
+        pub struct CanRemoveKeyValueInAssetDefinition {
+            pub asset_definition_id: AssetDefinitionId,
+        }
+    }
+}
+
+pub mod asset {
+    use super::*;
+
+    token! {
+        #[derive(ValidateGrantRevoke, permission::derive_conversions::asset_definition::Owner)]
+        #[validate(permission::asset_definition::Owner)]
+        pub struct CanRegisterAssetsWithDefinition {
+            pub asset_definition_id: AssetDefinitionId,
+        }
+    }
+
+    token! {
+        #[derive(ValidateGrantRevoke, permission::derive_conversions::asset_definition::Owner)]
+        #[validate(permission::asset_definition::Owner)]
+        pub struct CanUnregisterAssetsWithDefinition {
+            pub asset_definition_id: AssetDefinitionId,
+        }
+    }
+
+    token! {
+        #[derive(ValidateGrantRevoke, permission::derive_conversions::asset::Owner)]
+        #[validate(permission::asset::Owner)]
+        pub struct CanUnregisterUserAsset {
+            pub asset_id: AssetId,
+        }
+    }
+
+    token! {
+        #[derive(ValidateGrantRevoke, permission::derive_conversions::asset_definition::Owner)]
+        #[validate(permission::asset_definition::Owner)]
+        pub struct CanBurnAssetsWithDefinition {
+            pub asset_definition_id: AssetDefinitionId,
+        }
+    }
+
+    token! {
+        #[derive(ValidateGrantRevoke, permission::derive_conversions::asset::Owner)]
+        #[validate(permission::asset::Owner)]
+        pub struct CanBurnUserAsset {
+            pub asset_id: AssetId,
+        }
+    }
+
+    token! {
+        #[derive(ValidateGrantRevoke, permission::derive_conversions::asset_definition::Owner)]
+        #[validate(permission::asset_definition::Owner)]
+        pub struct CanMintAssetsWithDefinition {
+            pub asset_definition_id: AssetDefinitionId,
+        }
+    }
+
+    token! {
+        #[derive(ValidateGrantRevoke, permission::derive_conversions::asset_definition::Owner)]
+        #[validate(permission::asset_definition::Owner)]
+        pub struct CanTransferAssetsWithDefinition {
+            pub asset_definition_id: AssetDefinitionId,
+        }
+    }
+
+    token! {
+        #[derive(ValidateGrantRevoke, permission::derive_conversions::asset::Owner)]
+        #[validate(permission::asset::Owner)]
+        pub struct CanTransferUserAsset {
+            pub asset_id: AssetId,
+        }
+    }
+
+    token! {
+        #[derive(ValidateGrantRevoke, permission::derive_conversions::asset::Owner)]
+        #[validate(permission::asset::Owner)]
+        pub struct CanSetKeyValueInUserAsset {
+            pub asset_id: AssetId,
+        }
+    }
+
+    token! {
+        #[derive(ValidateGrantRevoke, permission::derive_conversions::asset::Owner)]
+        #[validate(permission::asset::Owner)]
+        pub struct CanRemoveKeyValueInUserAsset {
+            pub asset_id: AssetId,
+        }
+    }
+}
+
+pub mod parameter {
+    use permission::ValidateGrantRevoke;
+
+    use super::*;
+
+    token! {
+        #[derive(Copy, ValidateGrantRevoke)]
+        #[validate(permission::OnlyGenesis)]
+        pub struct CanGrantPermissionToCreateParameters;
+    }
+
+    token! {
+        #[derive(Copy, ValidateGrantRevoke)]
+        #[validate(permission::OnlyGenesis)]
+        pub struct CanRevokePermissionToCreateParameters;
+    }
+
+    token! {
+        #[derive(Copy)]
+        pub struct CanCreateParameters;
+    }
+
+    token! {
+        #[derive(Copy, ValidateGrantRevoke)]
+        #[validate(permission::OnlyGenesis)]
+        pub struct CanGrantPermissionToSetParameters;
+    }
+
+    token! {
+        #[derive(Copy, ValidateGrantRevoke)]
+        #[validate(permission::OnlyGenesis)]
+        pub struct CanRevokePermissionToSetParameters;
+    }
+
+    token! {
+        #[derive(Copy)]
+        pub struct CanSetParameters;
+    }
+
+    impl ValidateGrantRevoke for CanCreateParameters {
+        fn validate_grant(&self, authority: &AccountId, _block_height: u64) -> Result {
+            if CanGrantPermissionToCreateParameters.is_owned_by(authority) {
+                return Ok(());
+            }
+
+            Err(ValidationFail::NotPermitted(
+                "Can't grant permission to create new configuration parameters outside genesis without permission from genesis"
+                    .to_owned()
+            ))
+        }
+
+        fn validate_revoke(&self, authority: &AccountId, _block_height: u64) -> Result {
+            if CanGrantPermissionToCreateParameters.is_owned_by(authority) {
+                return Ok(());
+            }
+
+            Err(ValidationFail::NotPermitted(
+                "Can't revoke permission to create new configuration parameters outside genesis without permission from genesis"
+                    .to_owned()
+            ))
+        }
+    }
+
+    impl ValidateGrantRevoke for CanSetParameters {
+        fn validate_grant(&self, authority: &AccountId, _block_height: u64) -> Result {
+            if CanGrantPermissionToSetParameters.is_owned_by(authority) {
+                return Ok(());
+            }
+
+            Err(ValidationFail::NotPermitted(
+                "Can't grant permission to set configuration parameters outside genesis without permission from genesis"
+                    .to_owned()
+            ))
+        }
+
+        fn validate_revoke(&self, authority: &AccountId, _block_height: u64) -> Result {
+            if CanRevokePermissionToSetParameters.is_owned_by(authority) {
+                return Ok(());
+            }
+
+            Err(ValidationFail::NotPermitted(
+                "Can't revoke permission to set configuration parameters outside genesis without permission from genesis"
+                    .to_owned()
+            ))
+        }
+    }
+}
+
+pub mod role {
+    use super::*;
+
+    token! {
+        #[derive(Copy, ValidateGrantRevoke)]
+        #[validate(permission::OnlyGenesis)]
+        pub struct CanUnregisterAnyRole;
+    }
+}
+
+pub mod trigger {
+    use super::*;
+
+    macro_rules! impl_froms {
+            ($($name:path),+ $(,)?) => {$(
+                impl<'token> From<&'token $name> for permission::trigger::Owner<'token> {
+                    fn from(value: &'token $name) -> Self {
+                        Self {
+                            trigger_id: &value.trigger_id,
+                        }
+                    }
+                }
+            )+};
+        }
+
+    token! {
+        #[derive(ValidateGrantRevoke)]
+        #[validate(permission::trigger::Owner)]
+        pub struct CanExecuteUserTrigger {
+            pub trigger_id: TriggerId,
+        }
+    }
+
+    token! {
+        #[derive(ValidateGrantRevoke)]
+        #[validate(permission::trigger::Owner)]
+        pub struct CanUnregisterUserTrigger {
+            pub trigger_id: TriggerId,
+        }
+    }
+
+    token! {
+        #[derive(ValidateGrantRevoke)]
+        #[validate(permission::trigger::Owner)]
+        pub struct CanMintUserTrigger {
+            pub trigger_id: TriggerId,
+        }
+    }
+
+    token! {
+        #[derive(ValidateGrantRevoke)]
+        #[validate(permission::trigger::Owner)]
+        pub struct CanBurnUserTrigger {
+            pub trigger_id: TriggerId,
+        }
+    }
+
+    impl_froms!(
+        CanExecuteUserTrigger,
+        CanUnregisterUserTrigger,
+        CanMintUserTrigger,
+        CanBurnUserTrigger,
+    );
+}
+
+pub mod executor {
+    use super::*;
+
+    token! {
+        #[derive(Copy, ValidateGrantRevoke)]
+        #[validate(permission::OnlyGenesis)]
+        pub struct CanUpgradeExecutor;
+    }
+}
diff --git a/smart_contract/executor/src/lib.rs b/smart_contract/executor/src/lib.rs
index f61e3643c0c..baa00432883 100644
--- a/smart_contract/executor/src/lib.rs
+++ b/smart_contract/executor/src/lib.rs
@@ -197,38 +197,6 @@ macro_rules! parse {
     };
 }
 
-/// Declare token types of current module. Use it with a full path to the token.
-///
-/// Used to iterate over token types to validate `Grant` and `Revoke` instructions.
-///
-///
-/// TODO: Replace with procedural macro. Example:
-/// ```
-/// mod tokens {
-///     use std::borrow::ToOwned;
-///
-///     use iroha_schema::IntoSchema;
-///     use iroha_executor_derive::{Token, ValidateGrantRevoke};
-///     use serde::{Deserialize, Serialize};
-///
-///     #[derive(Clone, PartialEq, Deserialize, Serialize, IntoSchema, Token, ValidateGrantRevoke)]
-///     #[validate(iroha_executor::permission::OnlyGenesis)]
-///     pub struct MyToken;
-/// }
-/// ```
-#[macro_export]
-macro_rules! declare_tokens {
-    ($($token_ty:ty),+ $(,)?) => {
-        macro_rules! map_tokens {
-            ($callback:ident) => {$(
-                $callback!($token_ty)
-            );+}
-        }
-
-        pub(crate) use map_tokens;
-    }
-}
-
 /// Collection of all permission tokens defined by the executor
 #[derive(Debug, Clone, Default)]
 pub struct PermissionTokenSchema(Vec<PermissionTokenId>, MetaMap);
@@ -287,5 +255,5 @@ pub mod prelude {
     pub use iroha_executor_derive::{entrypoint, Token, ValidateGrantRevoke};
     pub use iroha_smart_contract::{prelude::*, Context};
 
-    pub use super::{declare_tokens, deny, pass, PermissionTokenSchema, Validate};
+    pub use super::{deny, pass, PermissionTokenSchema, Validate};
 }