Hi @nolafs,
Thanks for following up.
You can protect your endpoints with Scopes (permissions).
It would look something like the following:
https://{yourDomain}/authorize?
response_type=code&
client_id={yourClientId}&
redirect_uri={https://yourApp/callback}&
scope=email%20profile%20openid%20read:reports%20update:reports&
audience={yourAPIAudience}&
state={state}
(Reference: Call Your API Using the Authorization Code Flow)
So say, for example, if a user does not have permissions granted to them, that are required for accessing your app or some protected resource, then they will be prevented from logging in.
Here are some helpful resources:
Please let me know how this goes for you.
Thanks,
Rueben