From e0dc6f2ea800ff88f14c001a92a46669048f0db5 Mon Sep 17 00:00:00 2001
From: Rias <hey@rias.be>
Date: Sat, 27 Jun 2026 09:17:20 +0200
Subject: [PATCH 1/8] Port GraphQL screens to Inertia

---
 resources/js/common/components/MainNav.vue    |   4 +-
 .../permissions/components/PermissionList.vue |  68 +++++-
 .../permissions/helpers/permissions.ts        |  16 +-
 resources/js/pages/graphql/schemas/Edit.vue   | 119 ++++++++++
 .../{Schemas.vue => schemas/Index.vue}        |  11 +-
 resources/js/pages/graphql/tokens/Edit.vue    | 197 ++++++++++++++++
 .../graphql/{Tokens.vue => tokens/Index.vue}  |  18 +-
 .../js/pages/settings/users/groups/Edit.vue   |  78 +------
 .../templates/graphql/schemas/_edit.twig      | 166 -------------
 resources/templates/graphql/tokens/_edit.twig | 165 -------------
 routes/actions.php                            |  20 --
 routes/cp.php                                 |  34 ++-
 .../Controllers/Gql/SchemasController.php     | 218 ++++++++++--------
 src/Http/Controllers/Gql/TokensController.php | 180 ++++++++-------
 src/User/Data/Permission.php                  |   2 +-
 src/User/Data/PermissionGroup.php             |  24 +-
 .../Controllers/Gql/SchemasControllerTest.php |  88 ++++---
 .../Controllers/Gql/TokensControllerTest.php  | 115 ++++-----
 workbench/.env.example                        |  11 +-
 .../TypeScriptTransformerServiceProvider.php  |  10 +-
 .../TypeScript/ClassListClassTransformer.php  |  22 ++
 21 files changed, 798 insertions(+), 768 deletions(-)
 create mode 100644 resources/js/pages/graphql/schemas/Edit.vue
 rename resources/js/pages/graphql/{Schemas.vue => schemas/Index.vue} (93%)
 create mode 100644 resources/js/pages/graphql/tokens/Edit.vue
 rename resources/js/pages/graphql/{Tokens.vue => tokens/Index.vue} (90%)
 delete mode 100644 resources/templates/graphql/schemas/_edit.twig
 delete mode 100644 resources/templates/graphql/tokens/_edit.twig

diff --git a/resources/js/common/components/MainNav.vue b/resources/js/common/components/MainNav.vue
index 2c729384ea1..df86f58133b 100644
--- a/resources/js/common/components/MainNav.vue
+++ b/resources/js/common/components/MainNav.vue
@@ -22,7 +22,7 @@
       :key="item.url"
       :icon="item.icon"
       :href="item.url"
-      :active="item.sel"
+      :active="item.selected"
       :indicator="!!item.badgeCount"
     >
       {{ item.label }}
@@ -32,7 +32,7 @@
           <craft-nav-item
             v-for="subnavItem in item.subnav"
             :key="subnavItem.url"
-            :active="subnavItem.sel"
+            :active="subnavItem.selected"
             :href="subnavItem.url"
             :indicator="!!subnavItem.badgeCount"
           >
diff --git a/resources/js/modules/permissions/components/PermissionList.vue b/resources/js/modules/permissions/components/PermissionList.vue
index a479b165ef0..9fe1f692d76 100644
--- a/resources/js/modules/permissions/components/PermissionList.vue
+++ b/resources/js/modules/permissions/components/PermissionList.vue
@@ -1,4 +1,5 @@
 <script setup lang="ts">
+  import {t} from '@craftcms/cp';
   import {
     getNestedKeys,
     hasNested,
@@ -13,20 +14,52 @@
     defineProps<{
       modelValue: Array<string>;
       permissions?: Record<string, PermissionItem>;
+      heading?: string;
+      permissionKeys?: Array<string>;
       disabled?: boolean;
       level?: number;
     }>(),
-    {permissions: () => ({}), modelValue: () => [], disabled: false, level: 0}
+    {
+      permissions: () => ({}),
+      modelValue: () => [],
+      permissionKeys: () => [],
+      disabled: false,
+      level: 0,
+    }
   );
 
+  function allSelected() {
+    if (!props.permissionKeys.length) {
+      return false;
+    }
+
+    const selected = new Set(props.modelValue);
+
+    return props.permissionKeys.every((key) => selected.has(key));
+  }
+
+  function toggleAll() {
+    if (allSelected()) {
+      const keysToRemove = new Set(props.permissionKeys);
+      emit(
+        'update:modelValue',
+        props.modelValue.filter((key) => !keysToRemove.has(key))
+      );
+      return;
+    }
+
+    emit('update:modelValue', [
+      ...new Set([...props.modelValue, ...props.permissionKeys]),
+    ]);
+  }
+
   function toggleItem(key: string) {
-    const lowerKey = key.toLowerCase();
-    const index = props.modelValue.indexOf(lowerKey);
+    const index = props.modelValue.indexOf(key);
     if (index === -1) {
-      emit('update:modelValue', [...props.modelValue, lowerKey]);
+      emit('update:modelValue', [...props.modelValue, key]);
     } else {
       const keysToRemove = new Set([
-        lowerKey,
+        key,
         ...getNestedKeys(props.permissions[key]),
       ]);
       emit(
@@ -38,6 +71,27 @@
 </script>
 
 <template>
+  <div v-if="heading" class="flex gap-2 items-center">
+    <h3 class="mb-1 text-base">
+      {{ heading }}
+    </h3>
+
+    <craft-button
+      type="button"
+      size="small"
+      appearance="plain"
+      :disabled="disabled"
+      @click="toggleAll"
+    >
+      <template v-if="allSelected()">
+        {{ t('Deselect all') }}
+      </template>
+      <template v-else>
+        {{ t('Select all') }}
+      </template>
+    </craft-button>
+  </div>
+
   <ul
     class="group"
     v-for="(item, key) in permissions"
@@ -49,7 +103,7 @@
     <li>
       <CraftCheckbox
         :label="item.label"
-        :model-value="modelValue.includes(key.toLowerCase())"
+        :model-value="modelValue.includes(key)"
         :value="key"
         :disabled="disabled"
         @update:model-value="toggleItem(key)"
@@ -75,7 +129,7 @@
         v-if="hasNested(item)"
         :permissions="item.nested"
         :model-value="modelValue"
-        :disabled="disabled || !modelValue.includes(item.key.toLowerCase())"
+        :disabled="disabled || !modelValue.includes(item.key)"
         @update:model-value="emit('update:modelValue', $event)"
         :level="level! + 1"
       />
diff --git a/resources/js/modules/permissions/helpers/permissions.ts b/resources/js/modules/permissions/helpers/permissions.ts
index d83fedb2a53..d23eb7d504e 100644
--- a/resources/js/modules/permissions/helpers/permissions.ts
+++ b/resources/js/modules/permissions/helpers/permissions.ts
@@ -1,14 +1,10 @@
-export interface PermissionItem {
-  key: string;
-  nested: Record<string, PermissionItem>;
-  label: string;
-  info?: string;
-  warning?: string;
-}
+export type PermissionItem = CraftCms.Cms.User.Data.Permission;
 
-export function hasNested(item: PermissionItem) {
+export function hasNested(
+  item: PermissionItem
+): item is PermissionItem & {nested: Record<string, PermissionItem>} {
   return (
-    item.nested &&
+    !!item.nested &&
     typeof item.nested === 'object' &&
     !Array.isArray(item.nested) &&
     Object.keys(item.nested).length > 0
@@ -21,7 +17,7 @@ export function getNestedKeys(item: PermissionItem | undefined): Array<string> {
   }
 
   return Object.values(item.nested).flatMap((child: PermissionItem) => [
-    child.key.toLowerCase(),
+    child.key,
     ...getNestedKeys(child),
   ]);
 }
diff --git a/resources/js/pages/graphql/schemas/Edit.vue b/resources/js/pages/graphql/schemas/Edit.vue
new file mode 100644
index 00000000000..b2096215b49
--- /dev/null
+++ b/resources/js/pages/graphql/schemas/Edit.vue
@@ -0,0 +1,119 @@
+<script setup lang="ts">
+  import {t} from '@craftcms/cp';
+  import AppLayout from '@/common/layouts/AppLayout.vue';
+  import Pane from '@/common/components/Pane.vue';
+  import CraftInput from '@craftcms/cp/vue/CraftInput.vue';
+  import CraftSwitch from '@craftcms/cp/vue/CraftSwitch.vue';
+  import PermissionList from '@/modules/permissions/components/PermissionList.vue';
+  import {useSettingsSave} from '@/modules/settings/composables/useSettingsSave';
+  import {store, update} from '@actions/Gql/SchemasController';
+  import {useForm} from '@inertiajs/vue3';
+
+  type TokenData = Pick<
+    CraftCms.Cms.Gql.Data.GqlToken,
+    'id' | 'enabled' | 'expiryDate'
+  >;
+
+  interface SchemaForm {
+    name: string;
+    permissions: Array<string>;
+    enabled: boolean;
+    expiryDate: string;
+  }
+
+  const props = defineProps<{
+    schema: CraftCms.Cms.Gql.Data.GqlSchema;
+    token: TokenData | null;
+    permissions: Array<CraftCms.Cms.User.Data.PermissionGroup>;
+    readOnly?: boolean;
+  }>();
+
+  const form = useForm<SchemaForm>({
+    name: props.schema.name ?? '',
+    permissions: props.schema.scope ?? [],
+    enabled: props.token?.enabled ?? true,
+    expiryDate: props.token?.expiryDate ?? '',
+  });
+
+  const routeAction = () => {
+    if (!props.schema.id) {
+      return store();
+    }
+
+    return update({
+      schemaId: props.schema.isPublic ? 'public' : props.schema.id,
+    });
+  };
+
+  const {save} = useSettingsSave(form, routeAction);
+</script>
+
+<template>
+  <AppLayout :form="form" @save="save">
+    <Pane appearance="raised">
+      <div class="grid gap-3">
+        <CraftInput
+          v-if="!schema.isPublic"
+          :label="t('Name')"
+          :help-text="
+            t('What this schema will be called in the control panel.')
+          "
+          id="name"
+          name="name"
+          v-model="form.name"
+          :error="form.errors.name"
+          :disabled="readOnly"
+          required
+          autofocus
+        />
+
+        <hr v-if="!schema.isPublic" />
+
+        <section class="grid gap-3">
+          <h2 class="text-base">
+            {{
+              t('Choose the available content for querying with this schema:')
+            }}
+          </h2>
+
+          <div
+            v-for="group in permissions"
+            :key="group.handle"
+            class="user-permissions"
+          >
+            <PermissionList
+              :heading="group.heading"
+              :permissions="group.permissions"
+              :permission-keys="group.keys"
+              v-model="form.permissions"
+              :disabled="readOnly"
+            />
+          </div>
+        </section>
+      </div>
+    </Pane>
+
+    <template v-if="schema.isPublic" #footer>
+      <div class="meta">
+        <CraftSwitch
+          :label="t('Enabled')"
+          id="enabled"
+          name="enabled"
+          v-model="form.enabled"
+          :disabled="readOnly"
+          :error="form.errors.enabled"
+        />
+
+        <CraftInput
+          :label="t('Expiry Date')"
+          id="expiryDate"
+          name="expiryDate"
+          type="datetime-local"
+          v-model="form.expiryDate"
+          :disabled="readOnly"
+          :error="form.errors.expiryDate"
+        />
+      </div>
+    </template>
+  </AppLayout>
+</template>
diff --git a/resources/js/pages/graphql/Schemas.vue b/resources/js/pages/graphql/schemas/Index.vue
similarity index 93%
rename from resources/js/pages/graphql/Schemas.vue
rename to resources/js/pages/graphql/schemas/Index.vue
index 98c948f55ce..675dd1fb00f 100644
--- a/resources/js/pages/graphql/Schemas.vue
+++ b/resources/js/pages/graphql/schemas/Index.vue
@@ -6,12 +6,7 @@
   import AdminTable from '@/modules/admin-table/components/AdminTable.vue';
   import {getCoreRowModel, useVueTable} from '@tanstack/vue-table';
   import {createCraftColumnHelper} from '@/modules/admin-table/helpers/createCraftColumnHelper';
-  import {
-    create,
-    destroy,
-    edit,
-    editPublic,
-  } from '@actions/Gql/SchemasController';
+  import {create, destroy, edit} from '@actions/Gql/SchemasController';
   import CpLink from '@/common/components/CpLink.vue';
   import DeleteButton from '@/modules/admin-table/components/DeleteButton.vue';
   import {router} from '@inertiajs/vue3';
@@ -48,9 +43,8 @@
         columnHelper.link('name', {
           props: ({row}) => ({
             href: row.original.isPublic
-              ? editPublic().url
+              ? edit({schemaId: 'public'}).url
               : edit({schemaId: row.original.id}).url,
-            inertia: false,
           }),
           header: t('Name'),
         }),
@@ -94,7 +88,6 @@
       <CpLink
         :href="create.url()"
         icon="plus"
-        :inertia="false"
         appearance="button"
         variant="accent"
         >{{ t('New schema') }}</CpLink
diff --git a/resources/js/pages/graphql/tokens/Edit.vue b/resources/js/pages/graphql/tokens/Edit.vue
new file mode 100644
index 00000000000..919794d51f0
--- /dev/null
+++ b/resources/js/pages/graphql/tokens/Edit.vue
@@ -0,0 +1,197 @@
+<script setup lang="ts">
+  import {computed, nextTick, ref} from 'vue';
+  import {t} from '@craftcms/cp';
+  import AppLayout from '@/common/layouts/AppLayout.vue';
+  import Pane from '@/common/components/Pane.vue';
+  import Select from '@/common/form/Select.vue';
+  import type {BaseOption} from '@/common/types';
+  import CraftInput from '@craftcms/cp/vue/CraftInput.vue';
+  import CraftSwitch from '@craftcms/cp/vue/CraftSwitch.vue';
+  import {useSettingsSave} from '@/modules/settings/composables/useSettingsSave';
+  import {
+    accessToken as revealAccessToken,
+    generate,
+    store,
+    update,
+  } from '@actions/Gql/TokensController';
+  import {useForm, useHttp} from '@inertiajs/vue3';
+
+  type TokenData = Pick<
+    CraftCms.Cms.Gql.Data.GqlToken,
+    'id' | 'uid' | 'name' | 'schemaId' | 'enabled' | 'expiryDate'
+  >;
+
+  type CopyButtonElement = HTMLElement & {copyValue: () => Promise<void>};
+
+  type TokenResponse = {
+    accessToken: string;
+  };
+
+  const maskedToken = '••••••••••••••••••••••••••••••••';
+
+  const props = defineProps<{
+    token: TokenData;
+    accessToken: string | null;
+    schemaOptions: Array<BaseOption>;
+    readOnly?: boolean;
+  }>();
+
+  const copyButton = ref<CopyButtonElement | null>(null);
+  const visibleAccessToken = ref(props.accessToken);
+  const tokenRequest = useHttp<Record<string, never>, TokenResponse>({});
+  const loadingToken = computed(() => tokenRequest.processing);
+
+  const form = useForm({
+    name: props.token.name ?? '',
+    schema: props.token.schemaId?.toString() ?? '',
+    enabled: props.token.enabled,
+    expiryDate: props.token.expiryDate ?? '',
+    accessToken: props.accessToken ?? '',
+  });
+
+  const authorizationHeader = computed(
+    () => `Authorization: Bearer ${visibleAccessToken.value ?? maskedToken}`
+  );
+
+  const routeAction = () =>
+    props.token.id ? update({tokenId: props.token.id}) : store();
+
+  const {save} = useSettingsSave(form, routeAction);
+
+  async function revealToken(tokenId: number) {
+    const data = await tokenRequest.post(revealAccessToken({tokenId}).url);
+    visibleAccessToken.value = data.accessToken;
+
+    return data.accessToken;
+  }
+
+  async function copyHeader() {
+    const tokenId = props.token.id;
+
+    if (!visibleAccessToken.value && tokenId) {
+      (Craft as any).elevatedSessionManager.requireElevatedSession(async () => {
+        await revealToken(tokenId);
+        await nextTick();
+        await copyButton.value?.copyValue();
+      });
+    }
+  }
+
+  async function regenerateToken() {
+    const data = await tokenRequest.post(generate().url);
+    visibleAccessToken.value = data.accessToken;
+    form.accessToken = data.accessToken;
+  }
+</script>
+
+<template>
+  <AppLayout :form="form" :default-form-actions="[]" @save="save">
+    <Pane appearance="raised">
+      <div class="grid gap-3">
+        <CraftInput
+          :label="t('Name')"
+          :help-text="t('What this token will be called in the control panel.')"
+          id="name"
+          name="name"
+          v-model="form.name"
+          :error="form.errors.name"
+          :disabled="readOnly"
+          required
+          autofocus
+        />
+
+        <template v-if="schemaOptions.length">
+          <Select
+            :label="t('GraphQL Schema')"
+            :help-text="
+              t('Choose which GraphQL schema this token has access to.')
+            "
+            id="schema"
+            name="schema"
+            v-model="form.schema"
+            :options="schemaOptions"
+            :error="form.errors.schema"
+            :disabled="readOnly"
+          />
+        </template>
+
+        <craft-callout v-else data-color="warning">
+          {{ t('No schemas exist yet to assign to this token.') }}
+        </craft-callout>
+
+        <hr />
+
+        <CraftInput
+          :label="t('Authorization Header')"
+          :help-text="
+            t(
+              'The `Authorization` header that should be sent with GraphQL API requests to use this token.'
+            )
+          "
+          id="auth-header"
+          class="code ltr"
+          :model-value="authorizationHeader"
+          readonly
+          :disabled="!visibleAccessToken"
+          :error="form.errors.accessToken"
+        >
+          <div slot="suffix" class="flex items-center gap-1">
+            <craft-button
+              v-if="!visibleAccessToken"
+              type="button"
+              size="small"
+              appearance="plain"
+              :disabled="loadingToken"
+              @click="copyHeader"
+            >
+              <craft-icon name="copy" slot="prefix"></craft-icon>
+              {{ t('Copy') }}
+            </craft-button>
+
+            <craft-copy-button
+              v-else
+              ref="copyButton"
+              :value="authorizationHeader"
+              :disabled="loadingToken"
+            />
+
+            <craft-button
+              type="button"
+              size="small"
+              appearance="plain"
+              :disabled="readOnly || loadingToken"
+              @click="regenerateToken"
+            >
+              {{ t('Regenerate') }}
+            </craft-button>
+
+            <craft-spinner v-if="loadingToken" size="small"></craft-spinner>
+          </div>
+        </CraftInput>
+      </div>
+    </Pane>
+
+    <template #footer>
+      <div class="meta">
+        <CraftSwitch
+          :label="t('Enabled')"
+          id="enabled"
+          name="enabled"
+          v-model="form.enabled"
+          :disabled="readOnly"
+          :error="form.errors.enabled"
+        />
+
+        <CraftInput
+          :label="t('Expiry Date')"
+          id="expiryDate"
+          name="expiryDate"
+          type="datetime-local"
+          v-model="form.expiryDate"
+          :disabled="readOnly"
+          :error="form.errors.expiryDate"
+        />
+      </div>
+    </template>
+  </AppLayout>
+</template>
diff --git a/resources/js/pages/graphql/Tokens.vue b/resources/js/pages/graphql/tokens/Index.vue
similarity index 90%
rename from resources/js/pages/graphql/Tokens.vue
rename to resources/js/pages/graphql/tokens/Index.vue
index 81a50a5c082..6dd622682ce 100644
--- a/resources/js/pages/graphql/Tokens.vue
+++ b/resources/js/pages/graphql/tokens/Index.vue
@@ -31,7 +31,9 @@
   }
 
   const props = defineProps<{
-    tokens: Array<TokenData>;
+    tokens: {
+      data: Array<TokenData>;
+    };
     dates: any;
     readOnly: boolean;
   }>();
@@ -56,7 +58,6 @@
           header: t('Name'),
           props: ({row}) => ({
             href: edit({tokenId: row.original.id}).url,
-            inertia: false,
           }),
         }),
         columnHelper.date('lastUsed', {
@@ -71,7 +72,7 @@
       ];
     },
     get data() {
-      return props.tokens;
+      return props.tokens.data;
     },
     state: {
       get columnVisibility() {
@@ -94,7 +95,6 @@
       <CpLink
         :href="create().url"
         icon="plus"
-        :inertia="false"
         appearance="button"
         variant="accent"
         >{{ t('New token') }}</CpLink
@@ -104,13 +104,9 @@
       <AdminTable :table="table">
         <template #empty-row>
           <Empty :label="t('No GraphQL tokens exist yet.')">
-            <CpLink
-              :href="create().url"
-              icon="plus"
-              :inertia="false"
-              appearance="button"
-              >{{ t('New token') }}</CpLink
-            >
+            <CpLink :href="create().url" icon="plus" appearance="button">{{
+              t('New token')
+            }}</CpLink>
           </Empty>
         </template>
       </AdminTable>
diff --git a/resources/js/pages/settings/users/groups/Edit.vue b/resources/js/pages/settings/users/groups/Edit.vue
index 29099c5f13e..bfa896f16a3 100644
--- a/resources/js/pages/settings/users/groups/Edit.vue
+++ b/resources/js/pages/settings/users/groups/Edit.vue
@@ -8,10 +8,6 @@
   import CraftTextarea from '@craftcms/cp/vue/CraftTextarea.vue';
   import Pane from '@/common/components/Pane.vue';
   import PermissionList from '@/modules/permissions/components/PermissionList.vue';
-  import {
-    hasNested,
-    type PermissionItem,
-  } from '@/modules/permissions/helpers/permissions';
   import {destroy, store} from '@actions/Settings/Users/UserGroupsController';
   import {computed} from 'vue';
   import {useSettingsSave} from '@/modules/settings/composables/useSettingsSave';
@@ -20,11 +16,7 @@
   const props = defineProps<{
     group: UserGroup;
     brandNew: boolean;
-    permissions: Array<{
-      heading: string;
-      handle: string;
-      permissions: Record<string, PermissionItem>;
-    }>;
+    permissions: Array<CraftCms.Cms.User.Data.PermissionGroup>;
     formActions?: Array<ActionItem>;
     redirect?: string;
     toolbar?: string;
@@ -48,52 +40,6 @@
     (v) => (form.handle = toHandle(v))
   );
 
-  function getAllKeys(
-    permissions: Record<string, PermissionItem>
-  ): Array<string> {
-    return Object.values(permissions).flatMap((item) => [
-      item.key,
-      ...(hasNested(item) ? getAllKeys(item.nested) : []),
-    ]);
-  }
-
-  const permissionSets = computed(() => {
-    return props.permissions.reduce<Record<string, Array<string>>>(
-      (acc, set) => {
-        acc[set.handle] = getAllKeys(set.permissions).map((v) =>
-          v.toLowerCase()
-        );
-        return acc;
-      },
-      {}
-    );
-  });
-
-  function allSelected(set?: Array<string>) {
-    if (!set) {
-      return false;
-    }
-
-    const selected = new Set(form.permissions);
-    return set.every((key) => selected.has(key));
-  }
-
-  function toggleSet(handle: string) {
-    const setKeys = permissionSets.value[handle];
-    if (!setKeys) {
-      return;
-    }
-
-    if (allSelected(setKeys)) {
-      const keysToRemove = new Set(setKeys);
-      form.permissions = form.permissions.filter(
-        (key) => !keysToRemove.has(key)
-      );
-    } else {
-      form.permissions = [...new Set([...form.permissions, ...setKeys])];
-    }
-  }
-
   // For existing groups, mark handle as already dirty
   if (!props.brandNew) {
     handleGenerator.stop();
@@ -173,28 +119,10 @@
 
       <div class="grid gap-3">
         <div v-for="set in permissions" :key="set.handle">
-          <div class="flex gap-2 items-center">
-            <h3 class="mb-1 text-base" :id="`content-heading-${set.handle}`">
-              {{ set.heading }}
-            </h3>
-
-            <craft-button
-              type="button"
-              size="small"
-              appearance="plain"
-              @click="toggleSet(set.handle)"
-            >
-              <template v-if="allSelected(permissionSets[set.handle])">
-                {{ t('Deselect all') }}
-              </template>
-              <template v-else>
-                {{ t('Select all') }}
-              </template>
-            </craft-button>
-          </div>
-
           <PermissionList
+            :heading="set.heading"
             :permissions="set.permissions"
+            :permission-keys="set.keys"
             v-model="form.permissions"
           />
         </div>
diff --git a/resources/templates/graphql/schemas/_edit.twig b/resources/templates/graphql/schemas/_edit.twig
deleted file mode 100644
index a9fb84ed2fe..00000000000
--- a/resources/templates/graphql/schemas/_edit.twig
+++ /dev/null
@@ -1,166 +0,0 @@
-{% extends "_layouts/cp" %}
-
-{% set selectedSubnavItem = 'schemas' %}
-
-{% set fullPageForm = true %}
-
-{% set formActions = [
-    {
-        label: 'Save and continue editing'|t('app'),
-        redirect: (schema.isPublic ? 'graphql/schemas/public' : 'graphql/schemas/{id}')|hash,
-        shortcut: true,
-        retainScroll: true,
-    },
-] %}
-
-{% set crumbs = [
-    { label: "GraphQL Schemas"|t('app'), url: url('graphql/schemas') }
-] %}
-
-{% import "_includes/forms" as forms %}
-
-{% macro permissionList(schema, permissions, id, disabled, oldPermissions) %}
-
-    {% from "_includes/forms" import checkbox %}
-    {% from _self import permissionList %}
-
-    <ul{% if id %} id="{{ id|replace(':', '-') }}"{% endif %}>
-
-        {% for permissionName, props in permissions %}
-            {% if oldPermissions is not null %}
-                {% set checked = permissionName in oldPermissions %}
-            {% elseif schema.has(permissionName) %}
-                {% set checked = true %}
-            {% else %}
-                {% set checked = false %}
-            {% endif %}
-
-            <li>
-                {{ checkbox({
-                    label: raw(props.label|md(inlineOnly=true, encode=true)),
-                    name: 'permissions[]',
-                    value: permissionName,
-                    checked: checked,
-                    disabled: disabled
-                }) }}
-
-                {% if props.info ?? false %}
-                    <div class="info">{{ props.info }}</div>
-                {% endif %}
-
-                {% if props.warning ?? false %}
-                    <div class="info warning">{{ props.warning }}</div>
-                {% endif %}
-
-                {% if props.nested ?? false %}
-                    {{ permissionList(schema, props.nested, permissionName~'-nested', not checked, oldPermissions) }}
-                {% endif %}
-            </li>
-        {% endfor %}
-    </ul>
-{% endmacro %}
-
-{% from _self import permissionList %}
-{% set oldPermissions = session('_old_input') ? old('permissions', []) : null %}
-
-
-{% do registerLegacyAsset("CraftCms\\Cms\\View\\LegacyAssets\\UserPermissionsAsset") %}
-
-{% block content %}
-    {{ actionInput(schema.isPublic ? 'graphql/save-public-schema' : 'graphql/save-schema') }}
-    {{ redirectInput('graphql/schemas') }}
-    {% if schema.id %}{{ hiddenInput('schemaId', schema.id) }}{% endif %}
-
-    {% if not schema.isPublic %}
-        {{ forms.textField({
-            first: true,
-            label: "Name"|t('app'),
-            instructions: "What this schema will be called in the control panel."|t('app'),
-            id: 'name',
-            name: 'name',
-            value: old('name', schema.name),
-            errors: schema.errors.get('name'),
-            autofocus: true,
-            required: true
-        }) }}
-
-        <hr>
-    {% endif %}
-
-    <h2>{{ 'Choose the available content for querying with this schema:'|t('app') }}</h2>
-
-    {% set schemaComponents = Gql.getAllSchemaComponents() %}
-
-    {% for category, catPermissions in schemaComponents.queries|filter %}
-        {% set headingId = "content-heading-#{random()}" %}
-        <div class="user-permissions">
-            <h3 id="{{ headingId }}">{{ category }}</h3>
-            <button type="button" class="select-all" aria-describedby="{{ headingId }}"></button>
-
-            {{ permissionList(schema, catPermissions, null, false, oldPermissions) }}
-        </div>
-    {% endfor %}
-
-    <hr>
-    <h2>{{ 'Choose the available mutations for this schema:'|t('app') }}</h2>
-
-    {% for category, catPermissions in schemaComponents.mutations|filter %}
-        {% set headingId = "mutation-heading-#{random()}" %}
-        <div class="user-permissions">
-            <h3 id="{{ headingId }}">{{ category }}</h3>
-            <button type="button" class="select-all" aria-describedby="{{ headingId }}"></button>
-
-            {{ permissionList(schema, catPermissions, null, false, oldPermissions) }}
-        </div>
-    {% endfor %}
-
-  <hr>
-  <h2>{{ 'Choose optional features available to this schema:'|t('app') }}</h2>
-
-  <div class="user-permissions">
-    {{ permissionList(schema, {
-      'directive:parseRefs': {
-        label: '{name} directive'|t('app', {
-          name: '`@parseRefs`',
-        }),
-        warning: 'Can be exploited to reveal sensitive content by information disclosure attacks.'|t('app'),
-      },
-      'directive:transform': not config('craft.general.disableGraphqlTransformDirective') ? {
-        label: '{name} directive'|t('app', {
-          name: '`@transform`',
-        }),
-        warning: 'Can be exploited by DoS attacks.'|t('app'),
-      },
-    }|filter, null, false, oldPermissions) }}
-  </div>
-
-{% endblock %}
-
-{% block details %}
-    {% if schema.isPublic %}
-        <div class="meta">
-            {{ forms.lightswitchField({
-                label: 'Enabled'|t('app'),
-                id: 'enabled',
-                name: 'enabled',
-                on: old('enabled', token.enabled),
-            }) }}
-
-            {{ forms.dateTimeField({
-                label: "Expiry Date"|t('app'),
-                id: 'expiryDate',
-                name: 'expiryDate',
-                value: old('expiryDate', token.expiryDate ? token.expiryDate : null),
-                errors: token.errors.get('expiryDate')
-            }) }}
-        </div>
-    {% endif %}
-{% endblock %}
-
-{% js %}
-    $('.user-permissions').each((i, wrapper) => {
-        new Craft.UserPermissions(wrapper);
-    });
-
-    new Craft.ElevatedSessionForm('#main-form');
-{% endjs %}
diff --git a/resources/templates/graphql/tokens/_edit.twig b/resources/templates/graphql/tokens/_edit.twig
deleted file mode 100644
index 2a8435323ef..00000000000
--- a/resources/templates/graphql/tokens/_edit.twig
+++ /dev/null
@@ -1,165 +0,0 @@
-{% extends "_layouts/cp" %}
-
-{% set selectedSubnavItem = 'tokens' %}
-
-{% set fullPageForm = true %}
-
-{% set crumbs = [
-    { label: "GraphQL Tokens"|t('app'), url: url('graphql/tokens') }
-] %}
-
-{% import "_includes/forms" as forms %}
-
-{% block content %}
-    <input type="hidden" name="action" value="graphql/save-token">
-    {{ redirectInput('graphql/tokens') }}
-    {% if token.id %}<input type="hidden" name="tokenId" value="{{ token.id }}">{% endif %}
-
-    {{ forms.textField({
-        first: true,
-        label: "Name"|t('app'),
-        instructions: "What this token will be called in the control panel."|t('app'),
-        id: 'name',
-        name: 'name',
-        value: old('name', token.name),
-        errors: token.errors.get('name'),
-        autofocus: true,
-        required: true,
-    }) }}
-
-    {% set schemaInput = schemaOptions
-        ? forms.selectField({
-            name: 'schema',
-            id: 'schema',
-            options: schemaOptions,
-            value: old('schema', token.schemaId),
-        })
-        : tag('p', {
-            class: ['warning', 'with-icon'],
-            text: 'No schemas exist yet to assign to this token.'|t('app'),
-        })
-    %}
-
-    {{ forms.field({
-        id: 'schema',
-        label: 'GraphQL Schema',
-        instructions: 'Choose which GraphQL schema this token has access to.',
-    }, schemaInput) }}
-
-    <hr>
-
-    {% embed '_includes/forms/field' with {
-        label: 'Authorization Header'|t('app'),
-        instructions: 'The `Authorization` header that should be sent with GraphQL API requests to use this token.'|t('app'),
-        id: 'auth-header',
-    } %}
-        {% block input %}
-            {% import '_includes/forms' as forms %}
-            <div class="flex">
-                {% embed '_includes/forms/copytext' with {
-                    id: 'auth-header',
-                    buttonId: 'copy-btn',
-                    value: 'Authorization: Bearer ' ~ (accessToken ?? '••••••••••••••••••••••••••••••••'),
-                    errors: token.errors.get('accessToken'),
-                    class: ['code', not accessToken ? 'disabled']|filter,
-                    size: 54,
-                } %}
-                    {# don't register the default JS #}
-                    {% block js %}{% endblock %}
-                {% endembed %}
-                {{ hiddenInput('accessToken', accessToken, {
-                    id: 'access-token',
-                    disabled: not accessToken,
-                }) }}
-                <button type="button" id="regen-btn" class="btn">{{ 'Regenerate'|t('app') }}</button>
-                <div id="token-spinner" class="spinner hidden"></div>
-            </div>
-        {% endblock %}
-    {% endembed %}
-{% endblock %}
-
-{% block details %}
-    <div class="meta">
-        {{ forms.lightswitchField({
-            label: 'Enabled'|t('app'),
-            id: 'enabled',
-            name: 'enabled',
-            on: old('enabled', token.enabled),
-        }) }}
-
-        {{ forms.dateTimeField({
-            label: "Expiry Date"|t('app'),
-            id: 'expiryDate',
-            name: 'expiryDate',
-            value: old('expiryDate', token.expiryDate ? token.expiryDate : null),
-            errors: token.errors.get('expiryDate')
-        }) }}
-    </div>
-{% endblock %}
-
-{% js %}
-    var $headerInput = $('#auth-header');
-    var $tokenInput = $('#access-token');
-    var $regenBtn = $('#regen-btn');
-    var regenerating = false;
-
-    function copyHeader() {
-        $headerInput[0].select();
-        document.execCommand('copy');
-        Craft.cp.displayNotice("{{ 'Copied to clipboard.'|t('app')|e('js') }}");
-    }
-
-    $headerInput.on('click', function() {
-        if (!$headerInput.hasClass('disabled')) {
-            this.select();
-        }
-    });
-
-    $('#copy-btn').on('click', function() {
-        if (!$headerInput.hasClass('disabled')) {
-            copyHeader();
-        } else {
-            Craft.elevatedSessionManager.requireElevatedSession(function() {
-            $('#token-spinner').removeClass('hidden');
-            var data = {{ {tokenUid: token.uid}|json_encode|raw }};
-            Craft.sendActionRequest('POST', 'graphql/fetch-token', {data})
-                .then((response) => {
-                    $('#token-spinner').addClass('hidden');
-                    $headerInput
-                        .val('Authorization: Bearer ' + response.data.accessToken)
-                        .removeClass('disabled');
-                    copyHeader();
-                })
-                .finally(() => {
-                    $('#token-spinner').addClass('hidden');
-                });
-            });
-        }
-    });
-
-    $regenBtn.on('click', function() {
-        if (regenerating) {
-            return;
-        }
-        regenerating = true;
-        $('#token-spinner').removeClass('hidden');
-        $regenBtn.addClass('active');
-
-        Craft.sendActionRequest('POST', 'graphql/generate-token')
-            .then((response) => {
-                $headerInput
-                    .val('Authorization: Bearer ' + response.data.accessToken)
-                    .removeClass('disabled');
-                $tokenInput
-                    .val(response.data.accessToken)
-                    .prop('disabled', false);
-                $regenBtn.removeClass('active');
-                regenerating = false;
-            })
-            .finally(() => {
-                $('#token-spinner').addClass('hidden');
-            });
-        });
-
-    new Craft.ElevatedSessionForm('#main-form');
-{% endjs %}
diff --git a/routes/actions.php b/routes/actions.php
index 8536fb47457..cfda131975d 100644
--- a/routes/actions.php
+++ b/routes/actions.php
@@ -55,8 +55,6 @@
 use CraftCms\Cms\Http\Controllers\Entries\StoreEntryController;
 use CraftCms\Cms\Http\Controllers\FieldsController;
 use CraftCms\Cms\Http\Controllers\Gql\ApiController as GqlApiController;
-use CraftCms\Cms\Http\Controllers\Gql\SchemasController as GqlSchemasController;
-use CraftCms\Cms\Http\Controllers\Gql\TokensController as GqlTokensController;
 use CraftCms\Cms\Http\Controllers\IconController;
 use CraftCms\Cms\Http\Controllers\InstallController;
 use CraftCms\Cms\Http\Controllers\MatrixController;
@@ -338,24 +336,6 @@
         // FindAndReplace
         Route::post('utilities/find-and-replace-perform-action', FindAndReplaceController::class);
 
-        // GraphQL
-        Route::middleware([RequireAdmin::class])->group(function () {
-            Route::post('graphql/generate-token', [GqlTokensController::class, 'generate']);
-
-            Route::middleware('password.confirm')->group(function () {
-                Route::post('graphql/save-token', [GqlTokensController::class, 'store']);
-                Route::post('graphql/fetch-token', [GqlTokensController::class, 'fetch']);
-            });
-        });
-
-        Route::middleware([RequireAdminChanges::class])->group(function () {
-
-            Route::middleware('password.confirm')->group(function () {
-                Route::post('graphql/save-schema', [GqlSchemasController::class, 'save']);
-                Route::post('graphql/save-public-schema', [GqlSchemasController::class, 'savePublic']);
-            });
-        });
-
         // Matrix
         Route::post('matrix/default-table-column-options', [MatrixController::class, 'defaultTableColumnOptions']);
         Route::post('matrix/create-entry', [MatrixController::class, 'createEntry']);
diff --git a/routes/cp.php b/routes/cp.php
index 206fc6effd0..f3d8116a269 100644
--- a/routes/cp.php
+++ b/routes/cp.php
@@ -205,18 +205,34 @@
         // GraphQL
         Route::get('graphql', GqlIndexController::class);
         Route::get('graphiql', GraphiqlController::class);
-        Route::get('graphql/tokens', [TokensController::class, 'index']);
-        Route::get('graphql/tokens/new', [TokensController::class, 'create']);
-        Route::get('graphql/tokens/{tokenId}', [TokensController::class, 'edit'])->whereNumber('tokenId');
+
+        Route::prefix('graphql/tokens')->name('graphql.tokens.')->group(function () {
+            Route::get('/', [TokensController::class, 'index'])->name('index');
+            Route::get('new', [TokensController::class, 'create'])->name('create');
+            Route::get('{tokenId}', [TokensController::class, 'edit'])->whereNumber('tokenId')->name('edit');
+            Route::post('generate', [TokensController::class, 'generate'])->name('generate');
+
+            Route::middleware('password.confirm')->group(function () {
+                Route::post('/', [TokensController::class, 'store'])->name('store');
+                Route::patch('{tokenId}', [TokensController::class, 'update'])->whereNumber('tokenId')->name('update');
+                Route::post('{tokenId}/access-token', [TokensController::class, 'accessToken'])->whereNumber('tokenId')->name('accessToken');
+            });
+        });
 
         Route::middleware(RequireAdminChanges::class)->group(function () {
-            Route::get('graphql/schemas', [SchemasController::class, 'index']);
-            Route::get('graphql/schemas/new', [SchemasController::class, 'create']);
-            Route::get('graphql/schemas/public', [SchemasController::class, 'editPublic']);
-            Route::get('graphql/schemas/{schemaId}', [SchemasController::class, 'edit'])->whereNumber('schemaId');
-            Route::delete('graphql/schemas/{schemaId}', [SchemasController::class, 'destroy'])->whereNumber('schemaId');
+            Route::prefix('graphql/schemas')->name('graphql.schemas.')->group(function () {
+                Route::get('/', [SchemasController::class, 'index'])->name('index');
+                Route::get('new', [SchemasController::class, 'create'])->name('create');
+                Route::get('{schemaId}', [SchemasController::class, 'edit'])->where('schemaId', 'public|\d+')->name('edit');
+                Route::delete('{schemaId}', [SchemasController::class, 'destroy'])->whereNumber('schemaId')->name('destroy');
+
+                Route::middleware('password.confirm')->group(function () {
+                    Route::post('/', [SchemasController::class, 'store'])->name('store');
+                    Route::patch('{schemaId}', [SchemasController::class, 'update'])->where('schemaId', 'public|\d+')->name('update');
+                });
+            });
 
-            Route::delete('graphql/tokens/{tokenId}', [TokensController::class, 'destroy'])->whereNumber('tokenId');
+            Route::delete('graphql/tokens/{tokenId}', [TokensController::class, 'destroy'])->whereNumber('tokenId')->name('graphql.tokens.destroy');
         });
 
         // Plugins
diff --git a/src/Http/Controllers/Gql/SchemasController.php b/src/Http/Controllers/Gql/SchemasController.php
index 62f91b5f10b..12f5d8e984f 100644
--- a/src/Http/Controllers/Gql/SchemasController.php
+++ b/src/Http/Controllers/Gql/SchemasController.php
@@ -4,15 +4,19 @@
 
 namespace CraftCms\Cms\Http\Controllers\Gql;
 
+use CraftCms\Cms\Cms;
 use CraftCms\Cms\Gql\Data\GqlSchema;
 use CraftCms\Cms\Gql\Data\GqlToken;
 use CraftCms\Cms\Gql\Gql;
 use CraftCms\Cms\Http\RespondsWithFlash;
+use CraftCms\Cms\Http\Responses\CpScreenResponse;
 use CraftCms\Cms\Support\DateTimeHelper;
-use CraftCms\Cms\Support\Flash;
+use CraftCms\Cms\Support\Facades\HtmlStack;
 use CraftCms\Cms\Support\Url;
-use Illuminate\Contracts\View\View;
+use CraftCms\Cms\User\Data\Permission;
+use CraftCms\Cms\User\Data\PermissionGroup;
 use Illuminate\Http\Request;
+use Illuminate\Support\Collection;
 use Inertia\Inertia;
 use Symfony\Component\HttpFoundation\Response;
 
@@ -33,7 +37,7 @@ public function index()
         // Ensure the public schema exists so the table stays aligned with the legacy UI.
         $this->gql->getPublicSchema();
 
-        return Inertia::render('graphql/Schemas', [
+        return Inertia::render('graphql/schemas/Index', [
             'crumbs' => fn () => [
                 ['label' => t('GraphQL'), 'url' => Url::cpUrl('graphql/schemas')],
                 ['label' => t('Schemas')],
@@ -43,40 +47,39 @@ public function index()
         ]);
     }
 
-    public function create(): View
+    public function create(): CpScreenResponse
     {
-        return $this->renderEditSchema(new GqlSchema);
+        return $this->editScreen(new GqlSchema);
     }
 
-    public function edit(int $schemaId): View
+    public function edit(string|int $schemaId): CpScreenResponse
     {
-        $schema = $this->gql->getSchemaById($schemaId);
+        [$schema, $token] = $this->resolveSchema($schemaId);
 
-        abort_if(is_null($schema), 404, 'Schema not found');
-
-        return $this->renderEditSchema($schema);
+        return $this->editScreen($schema, $token);
     }
 
-    public function editPublic(): View
+    public function store(Request $request): Response
     {
-        return $this->renderEditPublicSchema(
-            $this->gql->getPublicSchema(),
-            $this->gql->getPublicToken(),
-        );
+        return $this->saveSchema($request, new GqlSchema);
     }
 
-    public function save(Request $request): Response
+    public function update(Request $request, string|int $schemaId): Response
     {
-        $schemaId = $request->input('schemaId');
+        [$schema, $token] = $this->resolveSchema($schemaId);
 
-        if ($schemaId) {
-            $schema = $this->gql->getSchemaById((int) $schemaId);
+        return $this->saveSchema($request, $schema, $token);
+    }
 
-            abort_if(is_null($schema), 404, 'Schema not found');
-        } else {
-            $schema = new GqlSchema;
-        }
+    public function destroy(Request $request, int $schemaId): Response
+    {
+        $this->gql->deleteSchemaById($schemaId);
 
+        return $this->asSuccess(t('Schema deleted.'));
+    }
+
+    private function saveSchema(Request $request, GqlSchema $schema, ?GqlToken $token = null): Response
+    {
         if ($request->has('name')) {
             $schema->name = $request->input('name');
         }
@@ -85,22 +88,13 @@ public function save(Request $request): Response
         $schema->scope = is_array($permissions) ? $permissions : [$permissions];
 
         if (! $this->gql->saveSchema($schema)) {
-            return $this->invalidSchemaResponse($request, $schema, t('Couldn’t save schema.'));
+            return $this->asModelFailure($schema, t('Couldn’t save schema.'), 'schema', array_filter([
+                'token' => $token?->toArray(),
+            ]));
         }
 
-        return $this->asModelSuccess($schema, t('Schema saved.'), 'schema');
-    }
-
-    public function savePublic(Request $request): View|Response
-    {
-        $schema = $this->gql->getPublicSchema();
-        $token = $this->gql->getPublicToken();
-
-        $permissions = $request->input('permissions', []);
-        $schema->scope = is_array($permissions) ? $permissions : [$permissions];
-
-        if (! $this->gql->saveSchema($schema)) {
-            return $this->invalidPublicSchemaSchemaResponse($request, $schema, $token, t('Couldn’t save schema.'));
+        if (! $token) {
+            return $this->asModelSuccess($schema, t('Schema saved.'), 'schema');
         }
 
         $token->enabled = (bool) $request->input('enabled');
@@ -110,86 +104,120 @@ public function savePublic(Request $request): View|Response
         }
 
         if (! $this->gql->saveToken($token)) {
-            return $this->invalidPublicSchemaTokenResponse($request, $schema, $token, t('Couldn’t save public schema settings.'));
+            return $this->asModelFailure($token, t('Couldn’t save public schema settings.'), 'token', [
+                'schema' => $schema->toArray(),
+            ]);
         }
 
         return $this->asSuccess(t('Schema saved.'));
     }
 
-    public function destroy(Request $request, int $schemaId): Response
+    private function resolveSchema(string|int $schemaId): array
     {
-        $this->gql->deleteSchemaById($schemaId);
+        if ($schemaId === 'public') {
+            $schema = $this->gql->getPublicSchema();
+            $token = $this->gql->getPublicToken();
 
-        return $this->asSuccess(t('Schema deleted.'));
-    }
+            abort_if(! $schema || ! $token, 404, 'Public schema not found');
 
-    private function invalidSchemaResponse(Request $request, GqlSchema $schema, string $message): Response
-    {
-        if ($request->expectsJson()) {
-            return $this->asModelFailure($schema, $message, 'schema');
+            return [$schema, $token];
         }
 
-        Flash::error($message);
+        $schema = $this->gql->getSchemaById((int) $schemaId);
 
-        return response($this->renderEditSchema($schema));
-    }
-
-    private function invalidPublicSchemaSchemaResponse(
-        Request $request,
-        GqlSchema $schema,
-        GqlToken $token,
-        string $message,
-    ): Response|View {
-        if ($request->expectsJson()) {
-            return $this->asModelFailure($schema, $message, 'schema', [
-                'token' => $token->toArray(),
-            ]);
-        }
-
-        Flash::error($message);
+        abort_if(is_null($schema), 404, 'Schema not found');
 
-        return $this->renderEditPublicSchema($schema, $token);
+        return [$schema, null];
     }
 
-    private function invalidPublicSchemaTokenResponse(
-        Request $request,
-        GqlSchema $schema,
-        GqlToken $token,
-        string $message,
-    ): View|Response {
-        if ($request->expectsJson()) {
-            return $this->asModelFailure($token, $message, 'token', [
+    private function editScreen(GqlSchema $schema, ?GqlToken $token = null): CpScreenResponse
+    {
+        $title = $schema->isPublic
+            ? t('Edit the public GraphQL schema')
+            : ($schema->id
+                ? trim((string) $schema->name) ?: t('Edit GraphQL Schema')
+                : t('Create a new GraphQL Schema'));
+
+        return new CpScreenResponse()
+            ->title($title)
+            ->selectedSubnavItem('schemas')
+            ->crumbs([
+                ['label' => t('GraphQL Schemas'), 'url' => 'graphql/schemas'],
+                ['label' => $title],
+            ])
+            ->redirectUrl($schema->isPublic ? 'graphql/schemas/public' : 'graphql/schemas/{id}')
+            ->inertiaPage('graphql/schemas/Edit', [
                 'schema' => $schema->toArray(),
-            ]);
-        }
-
-        Flash::error($message);
-
-        return $this->renderEditPublicSchema($schema, $token);
+                'token' => $token ? [
+                    'id' => $token->id,
+                    'enabled' => $token->enabled,
+                    'expiryDate' => $token->expiryDate?->format('Y-m-d\TH:i'),
+                ] : null,
+                'permissions' => $this->schemaPermissionGroups(),
+            ])
+            ->prepareScreen(function (CpScreenResponse $response, string $containerId) {
+                HtmlStack::jsWithVars(
+                    fn ($containerId) => <<<JS
+                        new Craft.ElevatedSessionForm('#' + $containerId, [
+                            '.user-permissions input[type="checkbox"]:not(:checked)'
+                        ]);
+                    JS,
+                    [$containerId],
+                );
+            });
     }
 
-    private function renderEditSchema(GqlSchema $schema): View
+    private function schemaPermissionGroups(): Collection
     {
-        $name = trim((string) $schema->name) ?: null;
-
-        $title = $schema->id
-            ? $name ?? t('Edit GraphQL Schema')
-            : $name ?? t('Create a new GraphQL Schema');
+        $schemaComponents = $this->gql->getAllSchemaComponents();
+        $optionalPermissions = [
+            'directive:parseRefs' => [
+                'label' => t('{name} directive', [
+                    'name' => '@parseRefs',
+                ]),
+                'warning' => t('Can be exploited to reveal sensitive content by information disclosure attacks.'),
+            ],
+        ];
+
+        if (! Cms::config()->disableGraphqlTransformDirective) {
+            $optionalPermissions['directive:transform'] = [
+                'label' => t('{name} directive', [
+                    'name' => '@transform',
+                ]),
+                'warning' => t('Can be exploited by DoS attacks.'),
+            ];
+        }
 
-        return view('graphql.schemas._edit', compact(
-            'schema',
-            'title',
-        ));
+        return $this->permissionGroups($schemaComponents['queries'])
+            ->merge($this->permissionGroups($schemaComponents['mutations']))
+            ->push(new PermissionGroup(
+                t('Optional Features'),
+                $this->permissionList($optionalPermissions),
+            ));
     }
 
-    private function renderEditPublicSchema(GqlSchema $schema, GqlToken $token): View
+    private function permissionGroups(array $categories): Collection
     {
-        $title = t('Edit the public GraphQL schema');
+        return collect($categories)
+            ->filter()
+            ->map(fn (array $permissions, string $heading) => new PermissionGroup(
+                $heading,
+                $this->permissionList($permissions),
+            ))
+            ->values();
+    }
 
-        return view('graphql.schemas._edit', compact(
-            'schema',
-            'token',
-            'title',
-        ));
+    private function permissionList(array $permissions): Collection
+    {
+        return collect($permissions)
+            ->map(fn (array $props, string $key) => new Permission(
+                key: $key,
+                label: $props['label'] ?? $key,
+                info: $props['info'] ?? null,
+                warning: $props['warning'] ?? null,
+                nested: isset($props['nested'])
+                    ? $this->permissionList($props['nested'])
+                    : new Collection,
+            ));
     }
 }
diff --git a/src/Http/Controllers/Gql/TokensController.php b/src/Http/Controllers/Gql/TokensController.php
index 8fddcdac8bc..e69e67939ef 100644
--- a/src/Http/Controllers/Gql/TokensController.php
+++ b/src/Http/Controllers/Gql/TokensController.php
@@ -8,13 +8,13 @@
 use CraftCms\Cms\Gql\Gql;
 use CraftCms\Cms\Gql\Resources\GqlTokenResource;
 use CraftCms\Cms\Http\RespondsWithFlash;
+use CraftCms\Cms\Http\Responses\CpScreenResponse;
 use CraftCms\Cms\Support\DateTimeHelper;
-use CraftCms\Cms\Support\Flash;
-use Illuminate\Contracts\View\View;
+use CraftCms\Cms\Support\Facades\HtmlStack;
+use CraftCms\Cms\Support\Url;
 use Illuminate\Http\JsonResponse;
 use Illuminate\Http\Request;
 use Inertia\Inertia;
-use InvalidArgumentException;
 use Symfony\Component\HttpFoundation\Response;
 
 use function CraftCms\Cms\t;
@@ -31,61 +31,42 @@ public function __construct(
 
     public function index()
     {
-        return Inertia::render('graphql/Tokens', [
+        return Inertia::render('graphql/tokens/Index', [
+            'crumbs' => fn () => [
+                ['label' => t('GraphQL'), 'url' => Url::cpUrl('graphql/tokens')],
+                ['label' => t('Tokens')],
+            ],
+            'title' => t('GraphQL Tokens'),
             'tokens' => GqlTokenResource::collection($this->gql->getTokens()),
         ]);
     }
 
-    public function create(): View
+    public function create(): CpScreenResponse
     {
-        return $this->renderEditToken(new GqlToken, accessToken: $this->gql->generateToken());
+        return $this->editScreen(new GqlToken, accessToken: $this->gql->generateToken());
     }
 
-    public function edit(int $tokenId): View
+    public function edit(int $tokenId): CpScreenResponse
     {
         $token = $this->gql->getTokenById($tokenId);
 
-        if (! $token || $token->getIsPublic()) {
-            abort(404, 'Token not found');
-        }
+        abort_if(! $token || $token->getIsPublic(), 404, 'Token not found');
 
-        return $this->renderEditToken($token);
+        return $this->editScreen($token);
     }
 
     public function store(Request $request): Response
     {
-        $tokenId = $request->input('tokenId');
-
-        if ($tokenId) {
-            $token = $this->gql->getTokenById((int) $tokenId);
-
-            abort_if(! $token, 404, 'Token not found');
-        } else {
-            $token = new GqlToken;
-        }
-
-        if ($request->has('name')) {
-            $token->name = $request->input('name');
-        }
-
-        if ($request->has('accessToken')) {
-            $token->accessToken = $request->input('accessToken');
-        }
-
-        $token->enabled = (bool) $request->input('enabled');
-
-        $schemaId = $request->input('schema');
-        $token->schemaId = is_numeric($schemaId) ? (int) $schemaId : null;
+        return $this->saveToken($request, new GqlToken);
+    }
 
-        if ($request->has('expiryDate')) {
-            $token->expiryDate = DateTimeHelper::toDateTime($request->input('expiryDate')) ?: null;
-        }
+    public function update(Request $request, int $tokenId): Response
+    {
+        $token = $this->gql->getTokenById($tokenId);
 
-        if (! $this->gql->saveToken($token)) {
-            return $this->invalidTokenResponse($request, $token, t('Couldn’t save token.'));
-        }
+        abort_if(! $token || $token->getIsPublic(), 404, 'Token not found');
 
-        return $this->asModelSuccess($token, t('Schema saved.'), 'token');
+        return $this->saveToken($request, $token);
     }
 
     public function destroy(Request $request, int $tokenId): Response
@@ -95,61 +76,107 @@ public function destroy(Request $request, int $tokenId): Response
         return $this->asSuccess(t('Token deleted.'));
     }
 
-    public function fetch(Request $request): JsonResponse
+    public function accessToken(int $tokenId): JsonResponse
     {
-        abort_unless($request->expectsJson(), 400, 'Request must accept JSON in response');
-
-        $tokenUid = $request->validate([
-            'tokenUid' => ['required', 'string'],
-        ])['tokenUid'];
+        $token = $this->gql->getTokenById($tokenId);
 
-        try {
-            $token = $this->gql->getTokenByUid($tokenUid);
-        } catch (InvalidArgumentException) {
-            abort(400, 'Invalid schema UID.');
-        }
+        abort_if(! $token || $token->getIsPublic(), 404, 'Token not found');
 
         return new JsonResponse([
             'accessToken' => $token->accessToken,
         ]);
     }
 
-    public function generate(Request $request): JsonResponse
+    public function generate(): JsonResponse
     {
-        abort_unless($request->expectsJson(), 400, 'Request must accept JSON in response');
-
         return new JsonResponse([
             'accessToken' => $this->gql->generateToken(),
         ]);
     }
 
-    private function invalidTokenResponse(Request $request, GqlToken $token, string $message): Response
+    private function saveToken(Request $request, GqlToken $token): Response
     {
-        if ($request->expectsJson()) {
-            return $this->asModelFailure($token, $message, 'token');
+        if ($request->has('name')) {
+            $token->name = $request->input('name');
         }
 
-        Flash::error($message);
+        if ($request->filled('accessToken')) {
+            $token->accessToken = $request->input('accessToken');
+        }
 
-        return response($this->renderEditToken(
-            $token,
-            accessToken: $token->id ? null : ($token->accessToken ?: $this->gql->generateToken()),
-        ));
+        $token->enabled = (bool) $request->input('enabled');
+
+        $schemaId = $request->input('schema');
+        $token->schemaId = is_numeric($schemaId) ? (int) $schemaId : null;
+
+        if ($request->has('expiryDate')) {
+            $token->expiryDate = DateTimeHelper::toDateTime($request->input('expiryDate')) ?: null;
+        }
+
+        if (! $this->gql->saveToken($token)) {
+            return $this->asModelFailure($token, t('Couldn’t save token.'), 'token');
+        }
+
+        return $this->asModelSuccess($token, t('Token saved.'), 'token');
     }
 
-    private function renderEditToken(GqlToken $token, ?string $accessToken = null): View
+    private function editScreen(GqlToken $token, ?string $accessToken = null): CpScreenResponse
+    {
+        $name = trim((string) $token->name) ?: null;
+
+        $title = $token->id
+            ? $name ?? t('Edit GraphQL Token')
+            : $name ?? t('Create a new GraphQL token');
+
+        return new CpScreenResponse()
+            ->title($title)
+            ->selectedSubnavItem('tokens')
+            ->crumbs([
+                ['label' => t('GraphQL Tokens'), 'url' => 'graphql/tokens'],
+                ['label' => $title],
+            ])
+            ->redirectUrl('graphql/tokens')
+            ->inertiaPage('graphql/tokens/Edit', [
+                'token' => $this->tokenData($token),
+                'accessToken' => $accessToken,
+                'schemaOptions' => $this->schemaOptions($token),
+            ])
+            ->prepareScreen(function (CpScreenResponse $response, string $containerId) {
+                HtmlStack::jsWithVars(
+                    fn ($containerId) => <<<JS
+                        new Craft.ElevatedSessionForm('#' + $containerId);
+                    JS,
+                    [$containerId],
+                );
+            });
+    }
+
+    private function tokenData(GqlToken $token): array
+    {
+        return [
+            'id' => $token->id,
+            'uid' => $token->uid,
+            'name' => $token->name,
+            'schemaId' => $token->schemaId,
+            'enabled' => $token->enabled,
+            'expiryDate' => $token->expiryDate?->format('Y-m-d\TH:i'),
+        ];
+    }
+
+    private function schemaOptions(GqlToken $token): array
     {
-        $schemas = $this->gql->getSchemas();
         $publicSchema = $this->gql->getPublicSchema();
         $schemaOptions = [];
 
-        foreach ($schemas as $schema) {
-            if (! $publicSchema || $schema->id !== $publicSchema->id) {
-                $schemaOptions[] = [
-                    'label' => $schema->name,
-                    'value' => $schema->id,
-                ];
+        foreach ($this->gql->getSchemas() as $schema) {
+            if ($publicSchema && $schema->id === $publicSchema->id) {
+                continue;
             }
+
+            $schemaOptions[] = [
+                'label' => $schema->name,
+                'value' => (string) $schema->id,
+            ];
         }
 
         if ($token->id && ! $token->schemaId && $schemaOptions !== []) {
@@ -159,17 +186,6 @@ private function renderEditToken(GqlToken $token, ?string $accessToken = null):
             ]);
         }
 
-        $name = trim((string) $token->name) ?: null;
-
-        $title = $token->id
-            ? $name ?? t('Edit GraphQL Token')
-            : $name ?? t('Create a new GraphQL token');
-
-        return view('graphql.tokens._edit', compact(
-            'token',
-            'title',
-            'accessToken',
-            'schemaOptions',
-        ));
+        return $schemaOptions;
     }
 }
diff --git a/src/User/Data/Permission.php b/src/User/Data/Permission.php
index 5b7d87b4c71..db1a5858b53 100644
--- a/src/User/Data/Permission.php
+++ b/src/User/Data/Permission.php
@@ -14,7 +14,7 @@ public function __construct(
         public string $label,
         public ?string $info = null,
         public ?string $warning = null,
-        /** @var Collection<Permission> */
+        /** @var Collection<string, Permission> */
         public Collection $nested = new Collection,
     ) {}
 
diff --git a/src/User/Data/PermissionGroup.php b/src/User/Data/PermissionGroup.php
index c9d1239e452..1b2a3b499e3 100644
--- a/src/User/Data/PermissionGroup.php
+++ b/src/User/Data/PermissionGroup.php
@@ -12,16 +12,36 @@ class PermissionGroup implements Arrayable
 {
     public function __construct(
         public string $heading,
-        /** @var Collection<Permission> */
+        /** @var Collection<string, Permission> */
         public Collection $permissions = new Collection,
     ) {}
 
+    public string $handle {
+        get => Str::toHandle($this->heading);
+    }
+
+    /** @var string[] */
+    public array $keys {
+        get => $this->permissionKeys($this->permissions);
+    }
+
     public function toArray(): array
     {
         return [
             'heading' => $this->heading,
-            'handle' => Str::toHandle($this->heading),
+            'handle' => $this->handle,
             'permissions' => $this->permissions->keyBy('key')->toArray(),
+            'keys' => $this->keys,
         ];
     }
+
+    private function permissionKeys(Collection $permissions): array
+    {
+        return $permissions
+            ->flatMap(fn (Permission $permission) => [
+                $permission->key,
+                ...$this->permissionKeys($permission->nested),
+            ])
+            ->all();
+    }
 }
diff --git a/tests/Feature/Http/Controllers/Gql/SchemasControllerTest.php b/tests/Feature/Http/Controllers/Gql/SchemasControllerTest.php
index 3436cced4f7..239e153237c 100644
--- a/tests/Feature/Http/Controllers/Gql/SchemasControllerTest.php
+++ b/tests/Feature/Http/Controllers/Gql/SchemasControllerTest.php
@@ -15,10 +15,10 @@
 use Inertia\Testing\AssertableInertia;
 
 use function CraftCms\Cms\cp_url;
-use function CraftCms\Cms\t;
 use function Pest\Laravel\actingAs;
 use function Pest\Laravel\deleteJson;
 use function Pest\Laravel\get;
+use function Pest\Laravel\patchJson;
 use function Pest\Laravel\postJson;
 
 beforeEach(function () {
@@ -48,12 +48,12 @@
     get(cp_url('graphql/schemas/public'))->assertForbidden();
     get(action([SchemasController::class, 'edit'], ['schemaId' => $schema->id]))->assertForbidden();
 
-    postJson(cp_url('actions/graphql/save-schema'), [
+    postJson(action([SchemasController::class, 'store']), [
         'name' => 'Protected Schema',
         'permissions' => schemaControllerScope(),
     ])->assertForbidden();
 
-    postJson(cp_url('actions/graphql/save-public-schema'), [
+    patchJson(action([SchemasController::class, 'update'], ['schemaId' => 'public']), [
         'permissions' => schemaControllerScope(),
         'enabled' => true,
     ])->assertForbidden();
@@ -68,41 +68,57 @@
     get(action([SchemasController::class, 'index']))->assertForbidden();
     get(action([SchemasController::class, 'create']))->assertForbidden();
     get(action([SchemasController::class, 'edit'], ['schemaId' => $schema->id]))->assertForbidden();
-    get(action([SchemasController::class, 'editPublic']))->assertForbidden();
+    get(action([SchemasController::class, 'edit'], ['schemaId' => 'public']))->assertForbidden();
 });
 
 it('renders the schema index, create, edit, and public edit screens', function () {
-    $schema = createSchemaForSchemasControllerTest();
+    $schema = createSchemaForSchemasControllerTest([
+        'scope' => ['directive:parseRefs'],
+    ]);
 
     get(action([SchemasController::class, 'index']))
-        ->assertInertia(fn (AssertableInertia $page) => $page->component('graphql/Schemas'));
+        ->assertInertia(fn (AssertableInertia $page) => $page->component('graphql/schemas/Index'));
 
     get(action([SchemasController::class, 'create']))
-        ->assertOk()
-        ->assertViewIs('graphql.schemas._edit')
-        ->assertViewHas('schema')
-        ->assertViewHas('title', t('Create a new GraphQL Schema'));
+        ->assertInertia(fn (AssertableInertia $page) => $page
+            ->component('graphql/schemas/Edit')
+            ->where('schema.id', null)
+            ->where('title', 'Create a new GraphQL Schema')
+            ->where('permissions', fn ($permissions) => collect($permissions)
+                ->pluck('permissions')
+                ->contains(fn (array $groupPermissions) => array_key_exists('directive:parseRefs', $groupPermissions))));
 
     get(action([SchemasController::class, 'edit'], ['schemaId' => $schema->id]))
-        ->assertOk()
-        ->assertViewIs('graphql.schemas._edit')
-        ->assertViewHas('schema', fn ($viewSchema) => $viewSchema->id === $schema->id)
-        ->assertViewHas('title', $schema->name);
-
-    get(action([SchemasController::class, 'editPublic']))
-        ->assertOk()
-        ->assertViewIs('graphql.schemas._edit')
-        ->assertViewHas('schema')
-        ->assertViewHas('token')
-        ->assertViewHas('title', t('Edit the public GraphQL schema'));
+        ->assertInertia(fn (AssertableInertia $page) => $page
+            ->component('graphql/schemas/Edit')
+            ->where('schema.id', $schema->id)
+            ->where('schema.scope', ['directive:parseRefs'])
+            ->where('title', $schema->name));
+
+    get(action([SchemasController::class, 'edit'], ['schemaId' => 'public']))
+        ->assertInertia(fn (AssertableInertia $page) => $page
+            ->component('graphql/schemas/Edit')
+            ->where('schema.isPublic', true)
+            ->has('token')
+            ->where('title', 'Edit the public GraphQL schema'));
 });
 
-it('updates an existing schema via the save action', function () {
-    $schema = createSchemaForSchemasControllerTest();
-    $updatedScope = schemaControllerScope();
+it('creates and updates schemas', function () {
+    $scope = schemaControllerScope();
+
+    postJson(action([SchemasController::class, 'store']), [
+        'name' => 'Created Schema',
+        'permissions' => $scope,
+    ])->assertOk();
+
+    $schema = collect(Gql::getSchemas())->first(fn (GqlSchema $schema) => $schema->name === 'Created Schema');
+
+    expect($schema)->not->toBeNull()
+        ->and($schema?->scope)->toBe($scope);
+
+    $updatedScope = ['directive:parseRefs'];
 
-    postJson(action([SchemasController::class, 'save']), [
-        'schemaId' => $schema->id,
+    patchJson(action([SchemasController::class, 'update'], ['schemaId' => $schema->id]), [
         'name' => 'Renamed Schema',
         'permissions' => $updatedScope,
     ])->assertOk();
@@ -113,9 +129,8 @@
         ->and($updatedSchema?->scope)->toBe($updatedScope);
 });
 
-it('returns not found when saving an unknown schema id', function () {
-    postJson(action([SchemasController::class, 'save']), [
-        'schemaId' => 999999,
+it('returns not found when updating an unknown schema id', function () {
+    patchJson(action([SchemasController::class, 'update'], ['schemaId' => 999999]), [
         'name' => 'Missing Schema',
         'permissions' => schemaControllerScope(),
     ])->assertNotFound();
@@ -125,7 +140,7 @@
     $expiryDate = '2026-12-31 15:30';
     $expectedExpiryDate = DateTimeHelper::toDateTime($expiryDate);
 
-    postJson(action([SchemasController::class, 'savePublic']), [
+    patchJson(action([SchemasController::class, 'update'], ['schemaId' => 'public']), [
         'permissions' => schemaControllerScope(),
         'enabled' => true,
         'expiryDate' => $expiryDate,
@@ -139,15 +154,22 @@
         ->and($publicToken?->expiryDate?->getTimestamp())->toBe($expectedExpiryDate?->getTimestamp());
 });
 
-it('requires password confirmation for save-schema and save-public-schema', function () {
+it('requires password confirmation for schema mutations', function () {
+    $schema = createSchemaForSchemasControllerTest();
+
     Session::forget('auth.password_confirmed_at');
 
-    postJson(cp_url('actions/graphql/save-schema'), [
+    postJson(action([SchemasController::class, 'store']), [
+        'name' => 'Protected Schema',
+        'permissions' => schemaControllerScope(),
+    ])->assertStatus(423);
+
+    patchJson(action([SchemasController::class, 'update'], ['schemaId' => $schema->id]), [
         'name' => 'Protected Schema',
         'permissions' => schemaControllerScope(),
     ])->assertStatus(423);
 
-    postJson(cp_url('actions/graphql/save-public-schema'), [
+    patchJson(action([SchemasController::class, 'update'], ['schemaId' => 'public']), [
         'permissions' => schemaControllerScope(),
         'enabled' => true,
     ])->assertStatus(423);
diff --git a/tests/Feature/Http/Controllers/Gql/TokensControllerTest.php b/tests/Feature/Http/Controllers/Gql/TokensControllerTest.php
index 83a2660a0d0..dc9878074a7 100644
--- a/tests/Feature/Http/Controllers/Gql/TokensControllerTest.php
+++ b/tests/Feature/Http/Controllers/Gql/TokensControllerTest.php
@@ -16,11 +16,10 @@
 use Inertia\Testing\AssertableInertia;
 
 use function CraftCms\Cms\cp_url;
-use function CraftCms\Cms\t;
 use function Pest\Laravel\actingAs;
 use function Pest\Laravel\deleteJson;
 use function Pest\Laravel\get;
-use function Pest\Laravel\post;
+use function Pest\Laravel\patchJson;
 use function Pest\Laravel\postJson;
 
 beforeEach(function () {
@@ -48,22 +47,16 @@
     get(cp_url('graphql/tokens/new'))->assertForbidden();
     get(action([TokensController::class, 'edit'], ['tokenId' => $token->id]))->assertForbidden();
 
-    postJson(cp_url('actions/graphql/save-token'), [
+    postJson(action([TokensController::class, 'store']), [
         'name' => 'Protected token',
         'accessToken' => 'protected-token',
         'enabled' => true,
         'schema' => createSchemaForTokensControllerTest()->id,
     ])->assertForbidden();
 
-    postJson(cp_url('actions/graphql/fetch-token'), [
-        'tokenUid' => $token->uid,
-    ])->assertForbidden();
-
-    postJson(cp_url('actions/graphql/generate-token'))->assertForbidden();
-
-    deleteJson(action([TokensController::class, 'destroy'], [
-        'tokenId' => $token->id,
-    ]))->assertForbidden();
+    postJson(action([TokensController::class, 'accessToken'], ['tokenId' => $token->id]))->assertForbidden();
+    postJson(action([TokensController::class, 'generate']))->assertForbidden();
+    deleteJson(action([TokensController::class, 'destroy'], ['tokenId' => $token->id]))->assertForbidden();
 });
 
 it('allows token pages and actions without admin changes', function () {
@@ -73,7 +66,7 @@
     get(action([TokensController::class, 'index']))->assertOk();
     get(action([TokensController::class, 'create']))->assertOk();
 
-    postJson(cp_url('actions/graphql/save-token'), [
+    postJson(action([TokensController::class, 'store']), [
         'name' => 'No Admin Changes Token',
         'accessToken' => 'no-admin-changes-token',
         'enabled' => true,
@@ -89,23 +82,24 @@
     $publicSchema = Gql::getPublicSchema();
 
     get(action([TokensController::class, 'index']))
-        ->assertInertia(fn (AssertableInertia $page) => $page->component('graphql/Tokens'));
+        ->assertInertia(fn (AssertableInertia $page) => $page->component('graphql/tokens/Index'));
 
     get(action([TokensController::class, 'create']))
-        ->assertOk()
-        ->assertViewIs('graphql.tokens._edit')
-        ->assertViewHas('token')
-        ->assertViewHas('accessToken', fn ($accessToken) => is_string($accessToken) && $accessToken !== '')
-        ->assertViewHas('schemaOptions', fn (array $options) => collect($options)
-            ->pluck('value')
-            ->doesntContain($publicSchema?->id))
-        ->assertViewHas('title', t('Create a new GraphQL token'));
+        ->assertInertia(fn (AssertableInertia $page) => $page
+            ->component('graphql/tokens/Edit')
+            ->where('token.id', null)
+            ->where('title', 'Create a new GraphQL token')
+            ->where('accessToken', fn ($accessToken) => is_string($accessToken) && $accessToken !== '')
+            ->where('schemaOptions', fn ($options) => collect($options)
+                ->pluck('value')
+                ->doesntContain($publicSchema?->id)));
 
     get(action([TokensController::class, 'edit'], ['tokenId' => $token->id]))
-        ->assertOk()
-        ->assertViewIs('graphql.tokens._edit')
-        ->assertViewHas('token', fn ($viewToken) => $viewToken->id === $token->id)
-        ->assertViewHas('title', $token->name);
+        ->assertInertia(fn (AssertableInertia $page) => $page
+            ->component('graphql/tokens/Edit')
+            ->where('token.id', $token->id)
+            ->where('title', $token->name)
+            ->where('accessToken', null));
 });
 
 it('shows a blank schema option when editing a token without a schema', function () {
@@ -113,8 +107,9 @@
     $token = createTokenForTokensControllerTest(overrides: ['schemaId' => null]);
 
     get(action([TokensController::class, 'edit'], ['tokenId' => $token->id]))
-        ->assertOk()
-        ->assertViewHas('schemaOptions', fn (array $options) => $options[0]['value'] === '');
+        ->assertInertia(fn (AssertableInertia $page) => $page
+            ->component('graphql/tokens/Edit')
+            ->where('schemaOptions.0.value', ''));
 });
 
 it('returns not found for invalid, public, or missing token ids', function () {
@@ -129,37 +124,34 @@
 
     get(action([TokensController::class, 'edit'], ['tokenId' => $publicToken->id]))->assertNotFound();
 
-    postJson(cp_url('actions/graphql/save-token'), [
-        'tokenId' => 999999,
+    patchJson(action([TokensController::class, 'update'], ['tokenId' => 999999]), [
         'name' => 'Missing Token',
         'accessToken' => 'missing-token',
         'enabled' => true,
     ])->assertNotFound();
 });
 
-it('requires password confirmation for save-token and fetch-token', function () {
+it('requires password confirmation for saving and revealing tokens', function () {
     $schema = createSchemaForTokensControllerTest();
     $token = createTokenForTokensControllerTest($schema);
 
     Session::forget('auth.password_confirmed_at');
 
-    postJson(cp_url('actions/graphql/save-token'), [
+    postJson(action([TokensController::class, 'store']), [
         'name' => 'Protected token',
         'accessToken' => 'protected-token',
         'enabled' => true,
         'schema' => $schema->id,
     ])->assertStatus(423);
 
-    postJson(cp_url('actions/graphql/fetch-token'), [
-        'tokenUid' => $token->uid,
-    ])->assertStatus(423);
+    postJson(action([TokensController::class, 'accessToken'], ['tokenId' => $token->id]))->assertStatus(423);
 });
 
-it('saves, updates, fetches, generates, and deletes tokens', function () {
+it('saves, updates, reveals, generates, and deletes tokens', function () {
     $schema = createSchemaForTokensControllerTest();
     $updatedSchema = createSchemaForTokensControllerTest();
 
-    postJson(cp_url('actions/graphql/save-token'), [
+    postJson(action([TokensController::class, 'store']), [
         'name' => 'API Token',
         'accessToken' => 'api-token-1',
         'enabled' => true,
@@ -170,8 +162,7 @@
 
     expect($token)->not->toBeNull();
 
-    postJson(cp_url('actions/graphql/save-token'), [
-        'tokenId' => $token->id,
+    patchJson(action([TokensController::class, 'update'], ['tokenId' => $token->id]), [
         'name' => 'Updated API Token',
         'accessToken' => 'api-token-2',
         'enabled' => false,
@@ -187,10 +178,8 @@
         ->and($token?->schemaId)->toBe($updatedSchema->id)
         ->and($token?->expiryDate?->getTimestamp())->toBe(DateTimeHelper::toDateTime('2026-12-31 15:30')?->getTimestamp());
 
-    postJson(cp_url('actions/graphql/save-token'), [
-        'tokenId' => $token->id,
+    patchJson(action([TokensController::class, 'update'], ['tokenId' => $token->id]), [
         'name' => 'Updated API Token',
-        'accessToken' => 'api-token-2',
         'enabled' => false,
         'schema' => $updatedSchema->id,
         'expiryDate' => '',
@@ -198,33 +187,26 @@
 
     $token = Gql::getTokenById($token->id);
 
-    expect($token?->expiryDate)->toBeNull();
+    expect($token?->expiryDate)->toBeNull()
+        ->and($token?->accessToken)->toBe('api-token-2');
 
-    postJson(cp_url('actions/graphql/fetch-token'), [
-        'tokenUid' => $token->uid,
-    ])->assertOk()
+    postJson(action([TokensController::class, 'accessToken'], ['tokenId' => $token->id]))
+        ->assertOk()
         ->assertJsonPath('accessToken', 'api-token-2');
 
-    postJson(cp_url('actions/graphql/generate-token'))
+    postJson(action([TokensController::class, 'generate']))
         ->assertOk()
         ->assertJsonStructure(['accessToken']);
 
-    deleteJson(action([TokensController::class, 'destroy'], [$token->id]))->assertOk();
+    deleteJson(action([TokensController::class, 'destroy'], ['tokenId' => $token->id]))->assertOk();
 
     expect(Gql::getTokenById($token->id))->toBeNull();
 });
 
-it('re-renders the token edit screen for html failures and returns model errors for json', function () {
+it('returns model errors for json validation failures', function () {
     $schema = createSchemaForTokensControllerTest();
 
-    post(cp_url('actions/graphql/save-token'), [
-        'accessToken' => 'missing-name-token',
-        'enabled' => true,
-        'schema' => $schema->id,
-    ])->assertOk()
-        ->assertSee(t('Create a new GraphQL token'));
-
-    postJson(cp_url('actions/graphql/save-token'), [
+    postJson(action([TokensController::class, 'store']), [
         'accessToken' => 'missing-name-token-json',
         'enabled' => true,
         'schema' => $schema->id,
@@ -237,22 +219,9 @@
         ]);
 });
 
-it('requires json requests for fetch and generate and validates delete payloads', function () {
-    $token = createTokenForTokensControllerTest();
-
-    post(cp_url('actions/graphql/fetch-token'), [
-        'tokenUid' => $token->uid,
-    ])->assertBadRequest();
-
-    post(cp_url('actions/graphql/generate-token'))->assertBadRequest();
-
-    expect(fn () => action([TokensController::class, 'destroy'], []))->toThrow(UrlGenerationException::class);
-});
-
-it('returns bad request for invalid token uids', function () {
-    postJson(cp_url('actions/graphql/fetch-token'), [
-        'tokenUid' => 'missing-token-uid',
-    ])->assertBadRequest();
+it('requires a tokenId before deletion', function () {
+    expect(fn () => deleteJson(action([TokensController::class, 'destroy']), []))
+        ->toThrow(UrlGenerationException::class);
 });
 
 function tokenControllerScope(): array
diff --git a/workbench/.env.example b/workbench/.env.example
index ae6107fa147..45a02fd3a90 100644
--- a/workbench/.env.example
+++ b/workbench/.env.example
@@ -4,13 +4,10 @@ APP_ENV=local
 CRAFT_SECURITY_KEY=UPzGqJJMCTM4n07jkqaFNaVoof6j_Xfo
 APP_KEY=base64:6BDzvwO4hrN7Twv6/gaQ6oZMB/CvpUArZXho189U75E=
 
-DB_CONNECTION=pgsql
-DB_HOST=127.0.0.1
-DB_PORT=5432
-DB_DATABASE=craft_tests_foo
-DB_USERNAME=postgres
-DB_PASSWORD=password
-DB_SCHEMA=public
+APP_URL=http://127.0.0.1:8000
+
+DB_CONNECTION=sqlite
+DB_DATABASE=workbench/database/database.sqlite
 
 FROM_EMAIL_NAME="Craft CMS"
 FROM_EMAIL_ADDRESS=info@craftcms.com
diff --git a/workbench/app/Providers/TypeScriptTransformerServiceProvider.php b/workbench/app/Providers/TypeScriptTransformerServiceProvider.php
index ac9e5f208bd..353b732dc22 100644
--- a/workbench/app/Providers/TypeScriptTransformerServiceProvider.php
+++ b/workbench/app/Providers/TypeScriptTransformerServiceProvider.php
@@ -5,9 +5,13 @@
 namespace Workbench\App\Providers;
 
 use CraftCms\Cms\Cp\Data\NavItem;
+use CraftCms\Cms\Gql\Data\GqlSchema;
+use CraftCms\Cms\Gql\Data\GqlToken;
 use CraftCms\Cms\Image\Data\ImageTransform;
 use CraftCms\Cms\Route\Data\Route;
 use CraftCms\Cms\Update\Data\Updates;
+use CraftCms\Cms\User\Data\Permission;
+use CraftCms\Cms\User\Data\PermissionGroup;
 use CraftCms\Cms\User\Data\UserSettings;
 use DateTimeInterface;
 use Spatie\LaravelTypeScriptTransformer\TypeScriptTransformerApplicationServiceProvider;
@@ -27,10 +31,14 @@ protected function configure(TypeScriptTransformerConfigFactory $config): void
             ->replaceType(DateTimeInterface::class, 'string')
             ->provider(new ClassListTransformedProvider(
                 [
+                    GqlSchema::class,
+                    GqlToken::class,
                     ImageTransform::class,
                     NavItem::class,
-                    Updates::class,
+                    Permission::class,
+                    PermissionGroup::class,
                     Route::class,
+                    Updates::class,
                     UserSettings::class,
                 ],
                 [
diff --git a/workbench/app/TypeScript/ClassListClassTransformer.php b/workbench/app/TypeScript/ClassListClassTransformer.php
index f30cff5dc96..495a050deb9 100644
--- a/workbench/app/TypeScript/ClassListClassTransformer.php
+++ b/workbench/app/TypeScript/ClassListClassTransformer.php
@@ -4,7 +4,11 @@
 
 namespace Workbench\App\TypeScript;
 
+use Illuminate\Database\Eloquent\Collection as EloquentCollection;
+use Illuminate\Support\Collection;
+use Spatie\TypeScriptTransformer\ClassPropertyProcessors\FixArrayLikeStructuresClassPropertyProcessor;
 use Spatie\TypeScriptTransformer\PhpNodes\PhpClassNode;
+use Spatie\TypeScriptTransformer\Transformers\ClassPropertyProcessors\ClassPropertyProcessor;
 use Spatie\TypeScriptTransformer\Transformers\ClassTransformer;
 
 class ClassListClassTransformer extends ClassTransformer
@@ -13,4 +17,22 @@ protected function shouldTransform(PhpClassNode $phpClassNode): bool
     {
         return true;
     }
+
+    /** @return array<ClassPropertyProcessor> */
+    #[\Override]
+    protected function classPropertyProcessors(): array
+    {
+        $processors = parent::classPropertyProcessors();
+
+        foreach ($processors as $processor) {
+            if ($processor instanceof FixArrayLikeStructuresClassPropertyProcessor) {
+                $processor->replaceArrayLikeClass(
+                    Collection::class,
+                    EloquentCollection::class,
+                );
+            }
+        }
+
+        return $processors;
+    }
 }

From 8f770b4d8a6467c1c3c90dc0dbaa3390a658bbc7 Mon Sep 17 00:00:00 2001
From: Rias <hey@rias.be>
Date: Sat, 27 Jun 2026 09:25:40 +0200
Subject: [PATCH 2/8] Fix GraphQL permission types

---
 src/Config/GeneralConfig.php                  | 34 +++++++++++++++++++
 .../Controllers/Gql/SchemasController.php     |  6 +++-
 src/User/Data/Permission.php                  |  2 +-
 src/User/Data/PermissionGroup.php             |  3 +-
 4 files changed, 42 insertions(+), 3 deletions(-)

diff --git a/src/Config/GeneralConfig.php b/src/Config/GeneralConfig.php
index 04a98a95958..85476346880 100644
--- a/src/Config/GeneralConfig.php
+++ b/src/Config/GeneralConfig.php
@@ -1029,6 +1029,22 @@ class GeneralConfig extends BaseConfig
      */
     public bool $enableGql = true;
 
+    /**
+     * @var bool Whether the GraphQL `@transform` directive should be disabled.
+     *
+     * ::: code
+     * ```php Static Config
+     * ->disableGraphqlTransformDirective()
+     * ```
+     * ```shell Environment Override
+     * CRAFT_DISABLE_GRAPHQL_TRANSFORM_DIRECTIVE=true
+     * ```
+     * :::
+     *
+     * @group GraphQL
+     */
+    public bool $disableGraphqlTransformDirective = false;
+
     /**
      * @var mixed The amount of time a user’s elevated session will last, which is required for some sensitive actions (e.g. user group/permission assignment).
      *
@@ -4218,6 +4234,24 @@ public function enableGql(bool $value = true): self
         return $this;
     }
 
+    /**
+     * Whether the GraphQL `@transform` directive should be disabled.
+     *
+     * ```php
+     * ->disableGraphqlTransformDirective()
+     * ```
+     *
+     * @group GraphQL
+     *
+     * @see $disableGraphqlTransformDirective
+     */
+    public function disableGraphqlTransformDirective(bool $value = true): self
+    {
+        $this->disableGraphqlTransformDirective = $value;
+
+        return $this;
+    }
+
     /**
      * Whether Craft should cache GraphQL queries.
      *
diff --git a/src/Http/Controllers/Gql/SchemasController.php b/src/Http/Controllers/Gql/SchemasController.php
index 12f5d8e984f..3989c319a65 100644
--- a/src/Http/Controllers/Gql/SchemasController.php
+++ b/src/Http/Controllers/Gql/SchemasController.php
@@ -167,6 +167,7 @@ private function editScreen(GqlSchema $schema, ?GqlToken $token = null): CpScree
             });
     }
 
+    /** @return Collection<int, PermissionGroup> */
     private function schemaPermissionGroups(): Collection
     {
         $schemaComponents = $this->gql->getAllSchemaComponents();
@@ -196,6 +197,7 @@ private function schemaPermissionGroups(): Collection
             ));
     }
 
+    /** @return Collection<int, PermissionGroup> */
     private function permissionGroups(array $categories): Collection
     {
         return collect($categories)
@@ -207,6 +209,7 @@ private function permissionGroups(array $categories): Collection
             ->values();
     }
 
+    /** @return Collection<int, Permission> */
     private function permissionList(array $permissions): Collection
     {
         return collect($permissions)
@@ -218,6 +221,7 @@ private function permissionList(array $permissions): Collection
                 nested: isset($props['nested'])
                     ? $this->permissionList($props['nested'])
                     : new Collection,
-            ));
+            ))
+            ->values();
     }
 }
diff --git a/src/User/Data/Permission.php b/src/User/Data/Permission.php
index db1a5858b53..34b5ffe2137 100644
--- a/src/User/Data/Permission.php
+++ b/src/User/Data/Permission.php
@@ -14,7 +14,7 @@ public function __construct(
         public string $label,
         public ?string $info = null,
         public ?string $warning = null,
-        /** @var Collection<string, Permission> */
+        /** @var Collection<int, Permission> */
         public Collection $nested = new Collection,
     ) {}
 
diff --git a/src/User/Data/PermissionGroup.php b/src/User/Data/PermissionGroup.php
index 1b2a3b499e3..1ab438e9482 100644
--- a/src/User/Data/PermissionGroup.php
+++ b/src/User/Data/PermissionGroup.php
@@ -12,7 +12,7 @@ class PermissionGroup implements Arrayable
 {
     public function __construct(
         public string $heading,
-        /** @var Collection<string, Permission> */
+        /** @var Collection<int, Permission> */
         public Collection $permissions = new Collection,
     ) {}
 
@@ -35,6 +35,7 @@ public function toArray(): array
         ];
     }
 
+    /** @param Collection<int, Permission> $permissions */
     private function permissionKeys(Collection $permissions): array
     {
         return $permissions

From 05ecae02db8bcbb57b05c7346b56e543c4f25244 Mon Sep 17 00:00:00 2001
From: Rias <hey@rias.be>
Date: Sat, 27 Jun 2026 09:29:45 +0200
Subject: [PATCH 3/8] Fix serialized permission group types

---
 resources/js/pages/graphql/schemas/Edit.vue       | 9 ++++++++-
 resources/js/pages/settings/users/groups/Edit.vue | 9 ++++++++-
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/resources/js/pages/graphql/schemas/Edit.vue b/resources/js/pages/graphql/schemas/Edit.vue
index b2096215b49..e59dd8f3df0 100644
--- a/resources/js/pages/graphql/schemas/Edit.vue
+++ b/resources/js/pages/graphql/schemas/Edit.vue
@@ -21,10 +21,17 @@
     expiryDate: string;
   }
 
+  type PermissionGroup = Omit<
+    CraftCms.Cms.User.Data.PermissionGroup,
+    'permissions'
+  > & {
+    permissions: Record<string, CraftCms.Cms.User.Data.Permission>;
+  };
+
   const props = defineProps<{
     schema: CraftCms.Cms.Gql.Data.GqlSchema;
     token: TokenData | null;
-    permissions: Array<CraftCms.Cms.User.Data.PermissionGroup>;
+    permissions: Array<PermissionGroup>;
     readOnly?: boolean;
   }>();
 
diff --git a/resources/js/pages/settings/users/groups/Edit.vue b/resources/js/pages/settings/users/groups/Edit.vue
index bfa896f16a3..6dec1ba65e3 100644
--- a/resources/js/pages/settings/users/groups/Edit.vue
+++ b/resources/js/pages/settings/users/groups/Edit.vue
@@ -13,10 +13,17 @@
   import {useSettingsSave} from '@/modules/settings/composables/useSettingsSave';
   import {useInputGenerator} from '@/common/composables/useInputGenerator';
 
+  type PermissionGroup = Omit<
+    CraftCms.Cms.User.Data.PermissionGroup,
+    'permissions'
+  > & {
+    permissions: Record<string, CraftCms.Cms.User.Data.Permission>;
+  };
+
   const props = defineProps<{
     group: UserGroup;
     brandNew: boolean;
-    permissions: Array<CraftCms.Cms.User.Data.PermissionGroup>;
+    permissions: Array<PermissionGroup>;
     formActions?: Array<ActionItem>;
     redirect?: string;
     toolbar?: string;

From 1f5e1d9c996c90d002b44e66088cde23b7796063 Mon Sep 17 00:00:00 2001
From: Rias <hey@rias.be>
Date: Sat, 27 Jun 2026 09:34:48 +0200
Subject: [PATCH 4/8] Use config for GraphQL transform directive

---
 src/Config/GeneralConfig.php                  | 34 -------------------
 .../Controllers/Gql/SchemasController.php     |  3 +-
 2 files changed, 1 insertion(+), 36 deletions(-)

diff --git a/src/Config/GeneralConfig.php b/src/Config/GeneralConfig.php
index 85476346880..04a98a95958 100644
--- a/src/Config/GeneralConfig.php
+++ b/src/Config/GeneralConfig.php
@@ -1029,22 +1029,6 @@ class GeneralConfig extends BaseConfig
      */
     public bool $enableGql = true;
 
-    /**
-     * @var bool Whether the GraphQL `@transform` directive should be disabled.
-     *
-     * ::: code
-     * ```php Static Config
-     * ->disableGraphqlTransformDirective()
-     * ```
-     * ```shell Environment Override
-     * CRAFT_DISABLE_GRAPHQL_TRANSFORM_DIRECTIVE=true
-     * ```
-     * :::
-     *
-     * @group GraphQL
-     */
-    public bool $disableGraphqlTransformDirective = false;
-
     /**
      * @var mixed The amount of time a user’s elevated session will last, which is required for some sensitive actions (e.g. user group/permission assignment).
      *
@@ -4234,24 +4218,6 @@ public function enableGql(bool $value = true): self
         return $this;
     }
 
-    /**
-     * Whether the GraphQL `@transform` directive should be disabled.
-     *
-     * ```php
-     * ->disableGraphqlTransformDirective()
-     * ```
-     *
-     * @group GraphQL
-     *
-     * @see $disableGraphqlTransformDirective
-     */
-    public function disableGraphqlTransformDirective(bool $value = true): self
-    {
-        $this->disableGraphqlTransformDirective = $value;
-
-        return $this;
-    }
-
     /**
      * Whether Craft should cache GraphQL queries.
      *
diff --git a/src/Http/Controllers/Gql/SchemasController.php b/src/Http/Controllers/Gql/SchemasController.php
index 3989c319a65..b225e96ec76 100644
--- a/src/Http/Controllers/Gql/SchemasController.php
+++ b/src/Http/Controllers/Gql/SchemasController.php
@@ -4,7 +4,6 @@
 
 namespace CraftCms\Cms\Http\Controllers\Gql;
 
-use CraftCms\Cms\Cms;
 use CraftCms\Cms\Gql\Data\GqlSchema;
 use CraftCms\Cms\Gql\Data\GqlToken;
 use CraftCms\Cms\Gql\Gql;
@@ -180,7 +179,7 @@ private function schemaPermissionGroups(): Collection
             ],
         ];
 
-        if (! Cms::config()->disableGraphqlTransformDirective) {
+        if (! config('craft.general.disableGraphqlTransformDirective')) {
             $optionalPermissions['directive:transform'] = [
                 'label' => t('{name} directive', [
                     'name' => '@transform',

From 28d7e98c0d8bafb22641f821e3e34beb64c30b7e Mon Sep 17 00:00:00 2001
From: Rias <hey@rias.be>
Date: Sat, 27 Jun 2026 13:12:25 +0200
Subject: [PATCH 5/8] UX improvements

---
 resources/js/common/layouts/AppLayout.vue     |  26 ++++-
 .../settings/composables/useSettingsSave.ts   |  15 +--
 resources/js/pages/graphql/schemas/Edit.vue   |  49 ++++----
 resources/js/pages/graphql/schemas/Index.vue  |   5 +-
 resources/js/pages/graphql/tokens/Edit.vue    | 108 ++++++++++--------
 .../Controllers/Gql/SchemasController.php     |  10 +-
 src/Http/Controllers/Gql/TokensController.php |   8 +-
 .../Controllers/Gql/SchemasControllerTest.php |  27 +++++
 .../Controllers/Gql/TokensControllerTest.php  |  19 +++
 9 files changed, 184 insertions(+), 83 deletions(-)

diff --git a/resources/js/common/layouts/AppLayout.vue b/resources/js/common/layouts/AppLayout.vue
index cfd0bbf5eb2..fd55eba3f6e 100644
--- a/resources/js/common/layouts/AppLayout.vue
+++ b/resources/js/common/layouts/AppLayout.vue
@@ -1,7 +1,7 @@
 <script setup lang="ts">
   import SystemInfo from '@/common/components/SystemInfo.vue';
   import {t} from '@craftcms/cp/utilities/translate.ts.mjs';
-  import {computed, reactive, ref, useTemplateRef, watch} from 'vue';
+  import {computed, reactive, ref, useSlots, useTemplateRef, watch} from 'vue';
   import CpSidebar from '@/common/components/CpSidebar.vue';
   import {useMediaQuery} from '@vueuse/core';
   import {Head, type InertiaForm, usePage} from '@inertiajs/vue3';
@@ -56,6 +56,7 @@
   }>();
 
   const {errorFlash, successFlash} = useFlash();
+  const slots = useSlots();
   const crumbs = computed(() => page.props.crumbs ?? null);
   const formActionItems = computed(() => [
     ...props.defaultFormActions.map(defaultFormActionItem),
@@ -66,6 +67,7 @@
     ...(props.additionalSkipLinks ?? []),
   ]);
   const readOnly = computed(() => page.props.readOnly);
+  const hasDetails = computed(() => Boolean(slots.details));
   const sidebarToggle = useTemplateRef('sidebarToggle');
   const {announcement, announce} = useAnnouncer();
 
@@ -279,7 +281,17 @@
               <template v-if="readOnly">
                 <CalloutReadOnly />
               </template>
-              <slot></slot>
+              <template v-if="hasDetails">
+                <div class="content-with-details">
+                  <div>
+                    <slot></slot>
+                  </div>
+                  <aside>
+                    <slot name="details"></slot>
+                  </aside>
+                </div>
+              </template>
+              <slot v-else></slot>
             </div>
           </component>
         </main>
@@ -349,6 +361,16 @@
     max-width: none;
   }
 
+  .content-with-details {
+    display: grid;
+    gap: var(--c-spacing-md);
+
+    @container (width >= 768px) {
+      grid-template-columns: minmax(0, 1fr) clamp(12rem, 20%, 16rem);
+      align-items: start;
+    }
+  }
+
   @media screen and (min-width: 1024px) {
     .cp {
       grid-template-columns: v-bind(sidebarWidth) minmax(0, 1fr);
diff --git a/resources/js/modules/settings/composables/useSettingsSave.ts b/resources/js/modules/settings/composables/useSettingsSave.ts
index 99a7b199b0c..ab106389650 100644
--- a/resources/js/modules/settings/composables/useSettingsSave.ts
+++ b/resources/js/modules/settings/composables/useSettingsSave.ts
@@ -25,13 +25,14 @@ export function useSettingsSave<T extends Record<string, any>>(
   });
 
   function save({redirect = true} = {}) {
-    let submitOptions = {};
-    if (redirect) {
-      submitOptions = {
-        preserveScroll: true,
-        preserveState: true,
-      };
-    }
+    const submitOptions = redirect
+      ? {
+          preserveScroll: true,
+          preserveState: true,
+        }
+      : {
+          replace: true,
+        };
 
     form
       .clearErrors()
diff --git a/resources/js/pages/graphql/schemas/Edit.vue b/resources/js/pages/graphql/schemas/Edit.vue
index e59dd8f3df0..8d7731c565e 100644
--- a/resources/js/pages/graphql/schemas/Edit.vue
+++ b/resources/js/pages/graphql/schemas/Edit.vue
@@ -100,27 +100,36 @@
       </div>
     </Pane>
 
-    <template v-if="schema.isPublic" #footer>
-      <div class="meta">
-        <CraftSwitch
-          :label="t('Enabled')"
-          id="enabled"
-          name="enabled"
-          v-model="form.enabled"
-          :disabled="readOnly"
-          :error="form.errors.enabled"
-        />
+    <template v-if="schema.isPublic" #details>
+      <Pane appearance="raised">
+        <div class="meta">
+          <CraftSwitch
+            :label="t('Enabled')"
+            id="enabled"
+            name="enabled"
+            v-model="form.enabled"
+            :disabled="readOnly"
+            :error="form.errors.enabled"
+          />
 
-        <CraftInput
-          :label="t('Expiry Date')"
-          id="expiryDate"
-          name="expiryDate"
-          type="datetime-local"
-          v-model="form.expiryDate"
-          :disabled="readOnly"
-          :error="form.errors.expiryDate"
-        />
-      </div>
+          <CraftInput
+            :label="t('Expiry Date')"
+            id="expiryDate"
+            name="expiryDate"
+            type="datetime-local"
+            v-model="form.expiryDate"
+            :disabled="readOnly"
+            :error="form.errors.expiryDate"
+          />
+        </div>
+      </Pane>
     </template>
   </AppLayout>
 </template>
+
+<style scoped lang="scss">
+  .meta {
+    display: grid;
+    gap: var(--c-spacing-md);
+  }
+</style>
diff --git a/resources/js/pages/graphql/schemas/Index.vue b/resources/js/pages/graphql/schemas/Index.vue
index 675dd1fb00f..1259f274e21 100644
--- a/resources/js/pages/graphql/schemas/Index.vue
+++ b/resources/js/pages/graphql/schemas/Index.vue
@@ -51,7 +51,10 @@
         columnHelper.display({
           id: 'scope',
           header: t('Scope'),
-          cell: ({row}) => row.original.scope.join(', '),
+          cell: ({row}) =>
+            row.original.scope.length > 2
+              ? `${row.original.scope.slice(0, 2).join(', ')} ${t('and {count} more', {count: row.original.scope.length - 2})}`
+              : row.original.scope.join(', '),
         }),
         columnHelper.display({
           id: 'public',
diff --git a/resources/js/pages/graphql/tokens/Edit.vue b/resources/js/pages/graphql/tokens/Edit.vue
index 919794d51f0..1fe1f48fc5e 100644
--- a/resources/js/pages/graphql/tokens/Edit.vue
+++ b/resources/js/pages/graphql/tokens/Edit.vue
@@ -85,7 +85,7 @@
 </script>
 
 <template>
-  <AppLayout :form="form" :default-form-actions="[]" @save="save">
+  <AppLayout :form="form" @save="save">
     <Pane appearance="raised">
       <div class="grid gap-3">
         <CraftInput
@@ -121,23 +121,23 @@
 
         <hr />
 
-        <CraftInput
-          :label="t('Authorization Header')"
-          :help-text="
-            t(
-              'The `Authorization` header that should be sent with GraphQL API requests to use this token.'
-            )
-          "
-          id="auth-header"
-          class="code ltr"
-          :model-value="authorizationHeader"
-          readonly
-          :disabled="!visibleAccessToken"
-          :error="form.errors.accessToken"
-        >
-          <div slot="suffix" class="flex items-center gap-1">
+        <div class="flex items-end gap-1">
+          <CraftInput
+            :label="t('Authorization Header')"
+            :help-text="
+              t(
+                'The `Authorization` header that should be sent with GraphQL API requests to use this token.'
+              )
+            "
+            id="auth-header"
+            class="code ltr flex-1"
+            :model-value="authorizationHeader"
+            readonly
+            :error="form.errors.accessToken"
+          >
             <craft-button
               v-if="!visibleAccessToken"
+              slot="suffix"
               type="button"
               size="small"
               appearance="plain"
@@ -150,48 +150,56 @@
 
             <craft-copy-button
               v-else
+              slot="suffix"
               ref="copyButton"
               :value="authorizationHeader"
               :disabled="loadingToken"
             />
-
-            <craft-button
-              type="button"
-              size="small"
-              appearance="plain"
-              :disabled="readOnly || loadingToken"
-              @click="regenerateToken"
-            >
-              {{ t('Regenerate') }}
-            </craft-button>
-
-            <craft-spinner v-if="loadingToken" size="small"></craft-spinner>
-          </div>
-        </CraftInput>
+          </CraftInput>
+
+          <craft-button
+            type="button"
+            variant="neutral"
+            :loading="loadingToken"
+            :disabled="readOnly || loadingToken"
+            @click="regenerateToken"
+          >
+            {{ t('Regenerate') }}
+          </craft-button>
+        </div>
       </div>
     </Pane>
 
-    <template #footer>
-      <div class="meta">
-        <CraftSwitch
-          :label="t('Enabled')"
-          id="enabled"
-          name="enabled"
-          v-model="form.enabled"
-          :disabled="readOnly"
-          :error="form.errors.enabled"
-        />
+    <template #details>
+      <Pane appearance="raised">
+        <div class="meta">
+          <CraftSwitch
+            :label="t('Enabled')"
+            id="enabled"
+            name="enabled"
+            v-model="form.enabled"
+            :disabled="readOnly"
+            :error="form.errors.enabled"
+          />
 
-        <CraftInput
-          :label="t('Expiry Date')"
-          id="expiryDate"
-          name="expiryDate"
-          type="datetime-local"
-          v-model="form.expiryDate"
-          :disabled="readOnly"
-          :error="form.errors.expiryDate"
-        />
-      </div>
+          <CraftInput
+            :label="t('Expiry Date')"
+            id="expiryDate"
+            name="expiryDate"
+            type="datetime-local"
+            v-model="form.expiryDate"
+            :disabled="readOnly"
+            :error="form.errors.expiryDate"
+          />
+        </div>
+      </Pane>
     </template>
   </AppLayout>
 </template>
+
+<style scoped lang="scss">
+  .meta {
+    display: grid;
+    gap: var(--c-spacing-md);
+  }
+</style>
diff --git a/src/Http/Controllers/Gql/SchemasController.php b/src/Http/Controllers/Gql/SchemasController.php
index b225e96ec76..f11c83d325f 100644
--- a/src/Http/Controllers/Gql/SchemasController.php
+++ b/src/Http/Controllers/Gql/SchemasController.php
@@ -93,7 +93,13 @@ private function saveSchema(Request $request, GqlSchema $schema, ?GqlToken $toke
         }
 
         if (! $token) {
-            return $this->asModelSuccess($schema, t('Schema saved.'), 'schema');
+            return $this->asModelSuccess(
+                $schema,
+                t('Schema saved.'),
+                'schema',
+                redirect: $this->getPostedRedirectUrl($schema)
+                    ?? Url::cpUrl("graphql/schemas/$schema->id"),
+            );
         }
 
         $token->enabled = (bool) $request->input('enabled');
@@ -144,7 +150,7 @@ private function editScreen(GqlSchema $schema, ?GqlToken $token = null): CpScree
                 ['label' => t('GraphQL Schemas'), 'url' => 'graphql/schemas'],
                 ['label' => $title],
             ])
-            ->redirectUrl($schema->isPublic ? 'graphql/schemas/public' : 'graphql/schemas/{id}')
+            ->redirectUrl('graphql/schemas')
             ->inertiaPage('graphql/schemas/Edit', [
                 'schema' => $schema->toArray(),
                 'token' => $token ? [
diff --git a/src/Http/Controllers/Gql/TokensController.php b/src/Http/Controllers/Gql/TokensController.php
index e69e67939ef..c03bbd33fd8 100644
--- a/src/Http/Controllers/Gql/TokensController.php
+++ b/src/Http/Controllers/Gql/TokensController.php
@@ -117,7 +117,13 @@ private function saveToken(Request $request, GqlToken $token): Response
             return $this->asModelFailure($token, t('Couldn’t save token.'), 'token');
         }
 
-        return $this->asModelSuccess($token, t('Token saved.'), 'token');
+        return $this->asModelSuccess(
+            $token,
+            t('Token saved.'),
+            'token',
+            redirect: $this->getPostedRedirectUrl($token)
+                ?? Url::cpUrl("graphql/tokens/$token->id"),
+        );
     }
 
     private function editScreen(GqlToken $token, ?string $accessToken = null): CpScreenResponse
diff --git a/tests/Feature/Http/Controllers/Gql/SchemasControllerTest.php b/tests/Feature/Http/Controllers/Gql/SchemasControllerTest.php
index 239e153237c..aed524796db 100644
--- a/tests/Feature/Http/Controllers/Gql/SchemasControllerTest.php
+++ b/tests/Feature/Http/Controllers/Gql/SchemasControllerTest.php
@@ -8,9 +8,11 @@
 use CraftCms\Cms\Http\Controllers\Gql\SchemasController;
 use CraftCms\Cms\Support\DateTimeHelper;
 use CraftCms\Cms\Support\Facades\Gql;
+use CraftCms\Cms\Support\Url;
 use CraftCms\Cms\User\Elements\User;
 use Illuminate\Routing\Exceptions\UrlGenerationException;
 use Illuminate\Support\Facades\Auth;
+use Illuminate\Support\Facades\Crypt;
 use Illuminate\Support\Facades\Session;
 use Inertia\Testing\AssertableInertia;
 
@@ -18,7 +20,9 @@
 use function Pest\Laravel\actingAs;
 use function Pest\Laravel\deleteJson;
 use function Pest\Laravel\get;
+use function Pest\Laravel\patch;
 use function Pest\Laravel\patchJson;
+use function Pest\Laravel\post;
 use function Pest\Laravel\postJson;
 
 beforeEach(function () {
@@ -129,6 +133,29 @@
         ->and($updatedSchema?->scope)->toBe($updatedScope);
 });
 
+it('redirects to the saved schema edit page when saving and continuing', function () {
+    $response = post(action([SchemasController::class, 'store']), [
+        'name' => 'Continued Schema',
+        'permissions' => schemaControllerScope(),
+    ]);
+
+    $schema = collect(Gql::getSchemas())->first(fn (GqlSchema $schema) => $schema->name === 'Continued Schema');
+
+    expect($schema)->not->toBeNull();
+
+    $response->assertRedirect(Url::cpUrl("graphql/schemas/$schema->id"));
+});
+
+it('redirects to the schema index when saving normally', function () {
+    $schema = createSchemaForSchemasControllerTest();
+
+    patch(action([SchemasController::class, 'update'], ['schemaId' => $schema->id]), [
+        'name' => 'Normally Saved Schema',
+        'permissions' => schemaControllerScope(),
+        'redirect' => Crypt::encrypt('graphql/schemas'),
+    ])->assertRedirect(Url::cpUrl('graphql/schemas'));
+});
+
 it('returns not found when updating an unknown schema id', function () {
     patchJson(action([SchemasController::class, 'update'], ['schemaId' => 999999]), [
         'name' => 'Missing Schema',
diff --git a/tests/Feature/Http/Controllers/Gql/TokensControllerTest.php b/tests/Feature/Http/Controllers/Gql/TokensControllerTest.php
index dc9878074a7..fccb185be2b 100644
--- a/tests/Feature/Http/Controllers/Gql/TokensControllerTest.php
+++ b/tests/Feature/Http/Controllers/Gql/TokensControllerTest.php
@@ -9,6 +9,7 @@
 use CraftCms\Cms\Http\Controllers\Gql\TokensController;
 use CraftCms\Cms\Support\DateTimeHelper;
 use CraftCms\Cms\Support\Facades\Gql;
+use CraftCms\Cms\Support\Url;
 use CraftCms\Cms\User\Elements\User;
 use Illuminate\Routing\Exceptions\UrlGenerationException;
 use Illuminate\Support\Facades\Auth;
@@ -20,6 +21,7 @@
 use function Pest\Laravel\deleteJson;
 use function Pest\Laravel\get;
 use function Pest\Laravel\patchJson;
+use function Pest\Laravel\post;
 use function Pest\Laravel\postJson;
 
 beforeEach(function () {
@@ -203,6 +205,23 @@
     expect(Gql::getTokenById($token->id))->toBeNull();
 });
 
+it('redirects to the saved token edit page when saving and continuing', function () {
+    $schema = createSchemaForTokensControllerTest();
+
+    $response = post(action([TokensController::class, 'store']), [
+        'name' => 'Continued Token',
+        'accessToken' => 'continued-token',
+        'enabled' => true,
+        'schema' => $schema->id,
+    ]);
+
+    $token = Gql::getTokenByName('Continued Token');
+
+    expect($token)->not->toBeNull();
+
+    $response->assertRedirect(Url::cpUrl("graphql/tokens/$token->id"));
+});
+
 it('returns model errors for json validation failures', function () {
     $schema = createSchemaForTokensControllerTest();
 

From 59ffc0fe5c62dfe531172621ea6ab876a9a7b9c2 Mon Sep 17 00:00:00 2001
From: Rias <hey@rias.be>
Date: Sat, 27 Jun 2026 16:58:22 +0200
Subject: [PATCH 6/8] Move details pane into AppLayout

---
 resources/js/common/layouts/AppLayout.vue   | 12 +++++-
 resources/js/pages/graphql/schemas/Edit.vue | 45 ++++++++------------
 resources/js/pages/graphql/tokens/Edit.vue  | 47 ++++++++-------------
 3 files changed, 46 insertions(+), 58 deletions(-)

diff --git a/resources/js/common/layouts/AppLayout.vue b/resources/js/common/layouts/AppLayout.vue
index fd55eba3f6e..636ef2b405e 100644
--- a/resources/js/common/layouts/AppLayout.vue
+++ b/resources/js/common/layouts/AppLayout.vue
@@ -18,6 +18,7 @@
   import CalloutReadOnly from '@/common/components/CalloutReadOnly.vue';
   import UserMenu from '@/common/components/UserMenu.vue';
   import FlashMessages from '@/common/components/FlashMessages.vue';
+  import Pane from '@/common/components/Pane.vue';
 
   interface SaveOptions {
     redirect?: boolean;
@@ -287,7 +288,11 @@
                     <slot></slot>
                   </div>
                   <aside>
-                    <slot name="details"></slot>
+                    <Pane appearance="raised">
+                      <div class="details">
+                        <slot name="details"></slot>
+                      </div>
+                    </Pane>
                   </aside>
                 </div>
               </template>
@@ -371,6 +376,11 @@
     }
   }
 
+  .details {
+    display: grid;
+    gap: var(--c-spacing-md);
+  }
+
   @media screen and (min-width: 1024px) {
     .cp {
       grid-template-columns: v-bind(sidebarWidth) minmax(0, 1fr);
diff --git a/resources/js/pages/graphql/schemas/Edit.vue b/resources/js/pages/graphql/schemas/Edit.vue
index 8d7731c565e..1651271865d 100644
--- a/resources/js/pages/graphql/schemas/Edit.vue
+++ b/resources/js/pages/graphql/schemas/Edit.vue
@@ -101,35 +101,24 @@
     </Pane>
 
     <template v-if="schema.isPublic" #details>
-      <Pane appearance="raised">
-        <div class="meta">
-          <CraftSwitch
-            :label="t('Enabled')"
-            id="enabled"
-            name="enabled"
-            v-model="form.enabled"
-            :disabled="readOnly"
-            :error="form.errors.enabled"
-          />
+      <CraftSwitch
+        :label="t('Enabled')"
+        id="enabled"
+        name="enabled"
+        v-model="form.enabled"
+        :disabled="readOnly"
+        :error="form.errors.enabled"
+      />
 
-          <CraftInput
-            :label="t('Expiry Date')"
-            id="expiryDate"
-            name="expiryDate"
-            type="datetime-local"
-            v-model="form.expiryDate"
-            :disabled="readOnly"
-            :error="form.errors.expiryDate"
-          />
-        </div>
-      </Pane>
+      <CraftInput
+        :label="t('Expiry Date')"
+        id="expiryDate"
+        name="expiryDate"
+        type="datetime-local"
+        v-model="form.expiryDate"
+        :disabled="readOnly"
+        :error="form.errors.expiryDate"
+      />
     </template>
   </AppLayout>
 </template>
-
-<style scoped lang="scss">
-  .meta {
-    display: grid;
-    gap: var(--c-spacing-md);
-  }
-</style>
diff --git a/resources/js/pages/graphql/tokens/Edit.vue b/resources/js/pages/graphql/tokens/Edit.vue
index 1fe1f48fc5e..79cb71f3644 100644
--- a/resources/js/pages/graphql/tokens/Edit.vue
+++ b/resources/js/pages/graphql/tokens/Edit.vue
@@ -171,35 +171,24 @@
     </Pane>
 
     <template #details>
-      <Pane appearance="raised">
-        <div class="meta">
-          <CraftSwitch
-            :label="t('Enabled')"
-            id="enabled"
-            name="enabled"
-            v-model="form.enabled"
-            :disabled="readOnly"
-            :error="form.errors.enabled"
-          />
-
-          <CraftInput
-            :label="t('Expiry Date')"
-            id="expiryDate"
-            name="expiryDate"
-            type="datetime-local"
-            v-model="form.expiryDate"
-            :disabled="readOnly"
-            :error="form.errors.expiryDate"
-          />
-        </div>
-      </Pane>
+      <CraftSwitch
+        :label="t('Enabled')"
+        id="enabled"
+        name="enabled"
+        v-model="form.enabled"
+        :disabled="readOnly"
+        :error="form.errors.enabled"
+      />
+
+      <CraftInput
+        :label="t('Expiry Date')"
+        id="expiryDate"
+        name="expiryDate"
+        type="datetime-local"
+        v-model="form.expiryDate"
+        :disabled="readOnly"
+        :error="form.errors.expiryDate"
+      />
     </template>
   </AppLayout>
 </template>
-
-<style scoped lang="scss">
-  .meta {
-    display: grid;
-    gap: var(--c-spacing-md);
-  }
-</style>

From 77989dfe3d73ef9921d770f1397325ff45c9d985 Mon Sep 17 00:00:00 2001
From: Rias <hey@rias.be>
Date: Sat, 27 Jun 2026 17:12:34 +0200
Subject: [PATCH 7/8] Not lowercasing broke user permissions, add a
 preserveCase option instead

---
 .../permissions/components/PermissionList.vue | 42 ++++++++++++-------
 resources/js/pages/graphql/schemas/Edit.vue   |  1 +
 2 files changed, 29 insertions(+), 14 deletions(-)

diff --git a/resources/js/modules/permissions/components/PermissionList.vue b/resources/js/modules/permissions/components/PermissionList.vue
index 9fe1f692d76..878d45bd735 100644
--- a/resources/js/modules/permissions/components/PermissionList.vue
+++ b/resources/js/modules/permissions/components/PermissionList.vue
@@ -16,6 +16,7 @@
       permissions?: Record<string, PermissionItem>;
       heading?: string;
       permissionKeys?: Array<string>;
+      preserveCase?: boolean;
       disabled?: boolean;
       level?: number;
     }>(),
@@ -23,11 +24,20 @@
       permissions: () => ({}),
       modelValue: () => [],
       permissionKeys: () => [],
+      preserveCase: false,
       disabled: false,
       level: 0,
     }
   );
 
+  function permissionKey(key: string) {
+    return props.preserveCase ? key : key.toLowerCase();
+  }
+
+  function normalizePermissionKeys(keys: Array<string>) {
+    return keys.map(permissionKey);
+  }
+
   function allSelected() {
     if (!props.permissionKeys.length) {
       return false;
@@ -35,12 +45,16 @@
 
     const selected = new Set(props.modelValue);
 
-    return props.permissionKeys.every((key) => selected.has(key));
+    return normalizePermissionKeys(props.permissionKeys).every((key) =>
+      selected.has(key)
+    );
   }
 
   function toggleAll() {
+    const keys = normalizePermissionKeys(props.permissionKeys);
+
     if (allSelected()) {
-      const keysToRemove = new Set(props.permissionKeys);
+      const keysToRemove = new Set(keys);
       emit(
         'update:modelValue',
         props.modelValue.filter((key) => !keysToRemove.has(key))
@@ -48,20 +62,19 @@
       return;
     }
 
-    emit('update:modelValue', [
-      ...new Set([...props.modelValue, ...props.permissionKeys]),
-    ]);
+    emit('update:modelValue', [...new Set([...props.modelValue, ...keys])]);
   }
 
   function toggleItem(key: string) {
-    const index = props.modelValue.indexOf(key);
+    const normalizedKey = permissionKey(key);
+    const index = props.modelValue.indexOf(normalizedKey);
+
     if (index === -1) {
-      emit('update:modelValue', [...props.modelValue, key]);
+      emit('update:modelValue', [...props.modelValue, normalizedKey]);
     } else {
-      const keysToRemove = new Set([
-        key,
-        ...getNestedKeys(props.permissions[key]),
-      ]);
+      const keysToRemove = new Set(
+        normalizePermissionKeys([key, ...getNestedKeys(props.permissions[key])])
+      );
       emit(
         'update:modelValue',
         props.modelValue.filter((v) => !keysToRemove.has(v))
@@ -103,8 +116,8 @@
     <li>
       <CraftCheckbox
         :label="item.label"
-        :model-value="modelValue.includes(key)"
-        :value="key"
+        :model-value="modelValue.includes(permissionKey(key))"
+        :value="permissionKey(key)"
         :disabled="disabled"
         @update:model-value="toggleItem(key)"
         :class="{
@@ -129,7 +142,8 @@
         v-if="hasNested(item)"
         :permissions="item.nested"
         :model-value="modelValue"
-        :disabled="disabled || !modelValue.includes(item.key)"
+        :disabled="disabled || !modelValue.includes(permissionKey(item.key))"
+        :preserve-case="preserveCase"
         @update:model-value="emit('update:modelValue', $event)"
         :level="level! + 1"
       />
diff --git a/resources/js/pages/graphql/schemas/Edit.vue b/resources/js/pages/graphql/schemas/Edit.vue
index 1651271865d..3b80f81a4b5 100644
--- a/resources/js/pages/graphql/schemas/Edit.vue
+++ b/resources/js/pages/graphql/schemas/Edit.vue
@@ -92,6 +92,7 @@
               :heading="group.heading"
               :permissions="group.permissions"
               :permission-keys="group.keys"
+              :preserve-case="true"
               v-model="form.permissions"
               :disabled="readOnly"
             />

From d272acfe5ac0f8663b4e53561a5466369e6e763a Mon Sep 17 00:00:00 2001
From: Rias <hey@rias.be>
Date: Sat, 27 Jun 2026 17:30:24 +0200
Subject: [PATCH 8/8] Canonicalize user permissions on the backend

---
 .../permissions/components/PermissionList.vue | 42 ++++--------
 resources/js/pages/graphql/schemas/Edit.vue   |  1 -
 src/User/UserPermissions.php                  | 67 ++++++++++++-------
 tests/Feature/User/UserPermissionsTest.php    | 42 ++++++++++++
 4 files changed, 100 insertions(+), 52 deletions(-)

diff --git a/resources/js/modules/permissions/components/PermissionList.vue b/resources/js/modules/permissions/components/PermissionList.vue
index 878d45bd735..9fe1f692d76 100644
--- a/resources/js/modules/permissions/components/PermissionList.vue
+++ b/resources/js/modules/permissions/components/PermissionList.vue
@@ -16,7 +16,6 @@
       permissions?: Record<string, PermissionItem>;
       heading?: string;
       permissionKeys?: Array<string>;
-      preserveCase?: boolean;
       disabled?: boolean;
       level?: number;
     }>(),
@@ -24,20 +23,11 @@
       permissions: () => ({}),
       modelValue: () => [],
       permissionKeys: () => [],
-      preserveCase: false,
       disabled: false,
       level: 0,
     }
   );
 
-  function permissionKey(key: string) {
-    return props.preserveCase ? key : key.toLowerCase();
-  }
-
-  function normalizePermissionKeys(keys: Array<string>) {
-    return keys.map(permissionKey);
-  }
-
   function allSelected() {
     if (!props.permissionKeys.length) {
       return false;
@@ -45,16 +35,12 @@
 
     const selected = new Set(props.modelValue);
 
-    return normalizePermissionKeys(props.permissionKeys).every((key) =>
-      selected.has(key)
-    );
+    return props.permissionKeys.every((key) => selected.has(key));
   }
 
   function toggleAll() {
-    const keys = normalizePermissionKeys(props.permissionKeys);
-
     if (allSelected()) {
-      const keysToRemove = new Set(keys);
+      const keysToRemove = new Set(props.permissionKeys);
       emit(
         'update:modelValue',
         props.modelValue.filter((key) => !keysToRemove.has(key))
@@ -62,19 +48,20 @@
       return;
     }
 
-    emit('update:modelValue', [...new Set([...props.modelValue, ...keys])]);
+    emit('update:modelValue', [
+      ...new Set([...props.modelValue, ...props.permissionKeys]),
+    ]);
   }
 
   function toggleItem(key: string) {
-    const normalizedKey = permissionKey(key);
-    const index = props.modelValue.indexOf(normalizedKey);
-
+    const index = props.modelValue.indexOf(key);
     if (index === -1) {
-      emit('update:modelValue', [...props.modelValue, normalizedKey]);
+      emit('update:modelValue', [...props.modelValue, key]);
     } else {
-      const keysToRemove = new Set(
-        normalizePermissionKeys([key, ...getNestedKeys(props.permissions[key])])
-      );
+      const keysToRemove = new Set([
+        key,
+        ...getNestedKeys(props.permissions[key]),
+      ]);
       emit(
         'update:modelValue',
         props.modelValue.filter((v) => !keysToRemove.has(v))
@@ -116,8 +103,8 @@
     <li>
       <CraftCheckbox
         :label="item.label"
-        :model-value="modelValue.includes(permissionKey(key))"
-        :value="permissionKey(key)"
+        :model-value="modelValue.includes(key)"
+        :value="key"
         :disabled="disabled"
         @update:model-value="toggleItem(key)"
         :class="{
@@ -142,8 +129,7 @@
         v-if="hasNested(item)"
         :permissions="item.nested"
         :model-value="modelValue"
-        :disabled="disabled || !modelValue.includes(permissionKey(item.key))"
-        :preserve-case="preserveCase"
+        :disabled="disabled || !modelValue.includes(item.key)"
         @update:model-value="emit('update:modelValue', $event)"
         :level="level! + 1"
       />
diff --git a/resources/js/pages/graphql/schemas/Edit.vue b/resources/js/pages/graphql/schemas/Edit.vue
index 3b80f81a4b5..1651271865d 100644
--- a/resources/js/pages/graphql/schemas/Edit.vue
+++ b/resources/js/pages/graphql/schemas/Edit.vue
@@ -92,7 +92,6 @@
               :heading="group.heading"
               :permissions="group.permissions"
               :permission-keys="group.keys"
-              :preserve-case="true"
               v-model="form.permissions"
               :disabled="readOnly"
             />
diff --git a/src/User/UserPermissions.php b/src/User/UserPermissions.php
index 403b3194bd8..904039cbc04 100644
--- a/src/User/UserPermissions.php
+++ b/src/User/UserPermissions.php
@@ -54,11 +54,11 @@ class UserPermissions
     private Collection $allPermissions;
 
     /**
-     * @var Collection<string>
+     * @var Collection<string, string>
      *
      * @see validatePermission()
      */
-    private Collection $allPermissionNames;
+    private Collection $permissionNamesByLowercase;
 
     /**
      * @var Collection<int, Collection<string>>
@@ -150,7 +150,8 @@ public function getPermissionsByGroupId(int $groupId): Collection
             fn () => $this->createUserPermissionsQuery()
                 ->join(new Alias(Table::USERPERMISSIONS_USERGROUPS, 'p_g'), 'p_g.permissionId', 'p.id')
                 ->where('p_g.groupId', $groupId)
-                ->pluck('p.name'),
+                ->pluck('p.name')
+                ->map(fn (string $permission) => $this->canonicalPermissionName($permission)),
         );
     }
 
@@ -171,7 +172,8 @@ public function getGroupPermissionsByUserId(int $userId): Collection
             ->join(new Alias(Table::USERPERMISSIONS_USERGROUPS, 'p_g'), 'p_g.permissionId', 'p.id')
             ->join(new Alias(Table::USERGROUPS_USERS, 'g_u'), 'g_u.groupId', 'p_g.groupId')
             ->where('g_u.userId', $userId)
-            ->pluck('p.name');
+            ->pluck('p.name')
+            ->map(fn (string $permission) => $this->canonicalPermissionName($permission));
     }
 
     /**
@@ -179,7 +181,7 @@ public function getGroupPermissionsByUserId(int $userId): Collection
      */
     public function doesGroupHavePermission(int $groupId, string $checkPermission): bool
     {
-        return $this->getPermissionsByGroupId($groupId)->containsStrict(strtolower($checkPermission));
+        return $this->getPermissionsByGroupId($groupId)->containsStrict($this->canonicalPermissionName($checkPermission));
     }
 
     /**
@@ -191,9 +193,6 @@ public function saveGroupPermissions(int $groupId, array $permissions): bool
     {
         Edition::require(Edition::Team);
 
-        // Lowercase permissions
-        $permissions = array_map(strtolower(...), $permissions);
-
         // Filter out any orphaned permissions
         $permissions = $this->filterOrphanedPermissions($permissions);
 
@@ -233,7 +232,8 @@ function () use ($userId) {
                     $userPermissions = $this->createUserPermissionsQuery()
                         ->join(new Alias(Table::USERPERMISSIONS_USERS, 'p_u'), 'p_u.permissionId', 'p.id')
                         ->where('p_u.userId', $userId)
-                        ->pluck('p.name');
+                        ->pluck('p.name')
+                        ->map(fn (string $permission) => $this->canonicalPermissionName($permission));
                 } else {
                     $userPermissions = [];
                 }
@@ -245,11 +245,7 @@ function () use ($userId) {
 
     public function validatePermission(string $permission): bool
     {
-        if (! isset($this->allPermissionNames)) {
-            $this->allPermissionNames = $this->getAllPermissions()->flatMap(fn (PermissionGroup $group) => $this->collectPermissionNames($group->permissions));
-        }
-
-        return $this->allPermissionNames->contains(strtolower($permission));
+        return $this->permissionNamesByLowercase()->has(strtolower($permission));
     }
 
     /**
@@ -259,7 +255,7 @@ public function validatePermission(string $permission): bool
     private function collectPermissionNames(Collection $permissions): Collection
     {
         return $permissions->flatMap(function (Permission $permission) {
-            $names = collect([strtolower($permission->key)]);
+            $names = collect([$permission->key]);
 
             if ($permission->nested->isNotEmpty()) {
                 return $names->merge($this->collectPermissionNames($permission->nested));
@@ -278,7 +274,7 @@ public function doesUserHavePermission(int $userId, string $checkPermission): bo
             return true;
         }
 
-        return $this->getPermissionsByUserId($userId)->containsStrict(strtolower($checkPermission));
+        return $this->getPermissionsByUserId($userId)->containsStrict($this->canonicalPermissionName($checkPermission));
     }
 
     /**
@@ -295,9 +291,6 @@ public function saveUserPermissions(int $userId, array $permissions): bool
             ->where('userId', $userId)
             ->delete();
 
-        // Lowercase the permissions
-        $permissions = array_map(strtolower(...), $permissions);
-
         // Filter out any orphaned permissions
         $groupPermissions = $this->getGroupPermissionsByUserId($userId);
         $permissions = $this->filterOrphanedPermissions($permissions, $groupPermissions->all());
@@ -355,6 +348,7 @@ public function handleChangedGroupPermissions(ConfigEvent $event): void
         $groupPermissionVals = [];
 
         if ($permissions) {
+            $permissions = $this->canonicalPermissionNames((array) $permissions);
             $now = now();
 
             foreach ($permissions as $permissionName) {
@@ -781,6 +775,8 @@ private function filterUnassignablePermissions(Collection $permissions, ?User $u
      */
     private function filterOrphanedPermissions(array $postedPermissions, array $groupPermissions = []): array
     {
+        $postedPermissions = $this->canonicalPermissionNames($postedPermissions);
+        $groupPermissions = $this->canonicalPermissionNames($groupPermissions);
         $filteredPermissions = [];
 
         if (! empty($postedPermissions)) {
@@ -812,7 +808,7 @@ private function findSelectedPermissions(
         $hasAssignedPermissions = false;
 
         foreach ($permissionsGroup as $permission) {
-            $key = strtolower($permission->key);
+            $key = $permission->key;
 
             // Should the user have this permission (either directly or via their group)?
             if (
@@ -848,14 +844,39 @@ private function findSelectedPermissions(
      */
     private function getPermissionModelByName(string $permissionName): UserPermission
     {
-        // Permission names are always stored in lowercase
-        $permissionName = strtolower($permissionName);
+        $permissionName = $this->canonicalPermissionName($permissionName);
+
+        if ($permissionModel = UserPermission::whereIn('name', [$permissionName, strtolower($permissionName)])->first()) {
+            return $permissionModel;
+        }
 
         return UserPermission::firstOrCreate([
             'name' => $permissionName,
         ]);
     }
 
+    /** @return Collection<string, string> */
+    private function permissionNamesByLowercase(): Collection
+    {
+        if (! isset($this->permissionNamesByLowercase)) {
+            $this->permissionNamesByLowercase = $this->getAllPermissions()
+                ->flatMap(fn (PermissionGroup $group) => $this->collectPermissionNames($group->permissions))
+                ->mapWithKeys(fn (string $permission) => [strtolower($permission) => $permission]);
+        }
+
+        return $this->permissionNamesByLowercase;
+    }
+
+    private function canonicalPermissionName(string $permission): string
+    {
+        return $this->permissionNamesByLowercase()->get(strtolower($permission), $permission);
+    }
+
+    private function canonicalPermissionNames(array $permissions): array
+    {
+        return array_values(array_unique(array_map($this->canonicalPermissionName(...), $permissions)));
+    }
+
     private function createUserPermissionsQuery(): Builder
     {
         return DB::table(Table::USERPERMISSIONS, 'p')->select(['p.name']);
@@ -868,7 +889,7 @@ public function reset(): void
     {
         unset(
             $this->allPermissions,
-            $this->allPermissionNames,
+            $this->permissionNamesByLowercase,
             $this->permissionsByGroupId,
             $this->permissionsByUserId,
         );
diff --git a/tests/Feature/User/UserPermissionsTest.php b/tests/Feature/User/UserPermissionsTest.php
index 194f1e45f77..e0ff92e08f3 100644
--- a/tests/Feature/User/UserPermissionsTest.php
+++ b/tests/Feature/User/UserPermissionsTest.php
@@ -1,14 +1,17 @@
 <?php
 
 use CraftCms\Cms\Asset\Models\Volume;
+use CraftCms\Cms\Database\Table;
 use CraftCms\Cms\Edition;
 use CraftCms\Cms\Section\Models\Section;
 use CraftCms\Cms\Site\Models\Site;
 use CraftCms\Cms\Support\Facades\Sites;
+use CraftCms\Cms\Support\Str;
 use CraftCms\Cms\User\Data\PermissionGroup;
 use CraftCms\Cms\User\Elements\User;
 use CraftCms\Cms\User\Models\UserGroup;
 use CraftCms\Cms\User\UserPermissions;
+use Illuminate\Support\Facades\DB;
 
 use function Pest\Laravel\actingAs;
 
@@ -135,3 +138,42 @@
 
     expect($this->userPermissions->doesUserHavePermission($user->id, 'accessSiteWhenSystemIsOff'))->toBeTrue();
 });
+
+test('permissions are resolved with canonical casing', function () {
+    $user = User::find()->one();
+
+    $this->userPermissions->saveUserPermissions($user->id, ['accesssitewhensystemisoff']);
+
+    expect($this->userPermissions->getPermissionsByUserId($user->id)->all())
+        ->toContain('accessSiteWhenSystemIsOff');
+    expect(DB::table(Table::USERPERMISSIONS)->where('name', 'accessSiteWhenSystemIsOff')->exists())
+        ->toBeTrue();
+
+    DB::table(Table::USERPERMISSIONS_USERS)
+        ->where('userId', $user->id)
+        ->delete();
+
+    $now = now();
+    $legacyPermissionId = DB::table(Table::USERPERMISSIONS)
+        ->where('name', 'accesscp')
+        ->value('id') ?? DB::table(Table::USERPERMISSIONS)->insertGetId([
+            'name' => 'accesscp',
+            'dateCreated' => $now,
+            'dateUpdated' => $now,
+            'uid' => Str::uuid(),
+        ]);
+
+    DB::table(Table::USERPERMISSIONS_USERS)->insert([
+        'permissionId' => $legacyPermissionId,
+        'userId' => $user->id,
+        'dateCreated' => $now,
+        'dateUpdated' => $now,
+        'uid' => Str::uuid(),
+    ]);
+
+    $this->userPermissions->reset();
+
+    expect($this->userPermissions->doesUserHavePermission($user->id, 'accessCp'))->toBeTrue();
+    expect($this->userPermissions->getPermissionsByUserId($user->id)->all())
+        ->toContain('accessCp');
+});