In our v3 project we extended the user-permissions plugin to check if there was a user authenticated (ctx.state.user), if so we’d add our own attributes. Additionally, if there wasn’t a user or an authorization header in ctx, then we’d try to get the jwt token from ctx and fetch the authenticated user.