Add All User Permissions to AccessToken

Our frontend application handles user logins and receives an AccessToken. We plan to use this AccessToken across multiple APIs in our ecosystem, and we want it to include the user’s permissions for each API they might access.

I created an API in the Auth0 Dashboard, enabled “Enable RBAC,” and activated “Add Permissions in the Access Token.” Based on the RBAC Settings descriptions, I assumed this would be sufficient to add permissions to the AccessToken upon user login. However, this did not reflect in the token. I can only see “roles” that I added to a namespace using an Auth0 Action but I cannot find permissions in the “session.user” object.

Hello,

To receive permission in access token, you need to include the audience parameter in your Authorization request. If you are working with a single-page application, you should use Silent Authentication to obtain an access token. If you are using an SDK, it will automatically make a call to the token endpoint, and you can capture the token in the network calls to validate