Currently we use the following as key for identities:

• access-token: hash of the token
• session: session id
• ip range: customer id

However it was noted that we should rather use the user id in case an access token / session is identified.