diff --git a/api/src/DataAccess/Models/DatabaseObjects/dbUser.cs b/api/src/DataAccess/Models/DatabaseObjects/dbUser.cs
index aae070c..cdf2af2 100644
--- a/api/src/DataAccess/Models/DatabaseObjects/dbUser.cs
+++ b/api/src/DataAccess/Models/DatabaseObjects/dbUser.cs
@@ -11,6 +11,6 @@ public class dbUser
     public int FailedLoginAttempts { get; set; }
     public DateTime? LockedUntil { get; set; }
     public DateTime? CreatedAt { get; set; }
-    public string? RoleInternalName { get; set; }
-    public string? RoleDisplayName { get; set; }
+    public required string RoleInternalName { get; set; }
+    public required string RoleDisplayName { get; set; }
 }
diff --git a/api/src/Models/Security/UserRoles.cs b/api/src/Models/Security/UserRoles.cs
index bf7e7d7..b5b218f 100644
--- a/api/src/Models/Security/UserRoles.cs
+++ b/api/src/Models/Security/UserRoles.cs
@@ -2,20 +2,15 @@ namespace WinStudentGoalTracker.Models;
 
 public static class UserRoles
 {
-    // Role names from role-based-access-control.md
-    public const string Teacher = "Teacher";
-    public const string Paraeducator = "Paraeducator";
-    public const string ProgramAdmin = "ProgramAdmin";
-    public const string DistrictAdmin = "DistrictAdmin";
-    public const string SuperAdmin = "SuperAdmin";
+    public const string Teacher       = "teacher";
+    public const string Paraeducator  = "paraeducator";
+    public const string ProgramAdmin  = "program_admin";
+    public const string DistrictAdmin = "district_admin";
+    public const string SuperAdmin    = "super_admin";
 
-    public static readonly IReadOnlyList<string> All = new[]
-    {
-        Teacher,
-        Paraeducator,
-        ProgramAdmin,
-        DistrictAdmin,
-        SuperAdmin
-        
-    };
+    public static string? TryParse(string value) =>
+        All.Contains(value) ? value : null;
+
+    public static readonly IReadOnlyList<string> All =
+        [Teacher, Paraeducator, ProgramAdmin, DistrictAdmin, SuperAdmin];
 }
diff --git a/api/src/Services/TokenService.cs b/api/src/Services/TokenService.cs
index 9824a48..3150bb6 100644
--- a/api/src/Services/TokenService.cs
+++ b/api/src/Services/TokenService.cs
@@ -2,6 +2,7 @@ using System.IdentityModel.Tokens.Jwt;
 using System.Security.Claims;
 using System.Text;
 using Microsoft.IdentityModel.Tokens;
+using WinStudentGoalTracker.Models;
 
 namespace WinStudentGoalTracker.Services;
 
@@ -15,8 +16,14 @@ public class TokenService
         _config = config;
     }
 
-    public string GenerateToken(Guid userId, string email, string? roleName)
+    public string GenerateToken(Guid userId, string email, string role)
     {
+
+        if (UserRoles.TryParse(role) is null)
+        {
+            throw new ArgumentException("Invalid role name");
+        }
+
         var claims = new List<Claim>
         {
             new Claim(JwtRegisteredClaimNames.Sub, userId.ToString()),
@@ -25,9 +32,9 @@ public class TokenService
             new Claim("user_id", userId.ToString())
         };
 
-        if (!string.IsNullOrWhiteSpace(roleName))
+        if (role is not null)
         {
-            claims.Add(new Claim(ClaimTypes.Role, roleName));
+            claims.Add(new Claim(ClaimTypes.Role, role));
         }
 
         var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_config["Jwt:Key"]!));