Hi @finom
You can add permissions in the access token by simply clicking the toggle ON for the “Add Permissions in the Access Token” setting. Please let me know if you need any clarification or if I can help you understand this feature.
I’m not sure what you mean by “Why secrets object is gone”. The secrets object is a customizable store for sensitive data, and you can add whatever data you want in a secret. It is a perfect place to store a client ID and secret. You must add these properties (client_id, client_secret), they are not automatically configured in an Action.
See our documentation about how to write your first action.
See answer #1.
No. Can you give an example of how they have changed?
I would not suggest calling the managment API on every authentication. This is not a scalable pattern.
As for your first questions, they are addressed in our documentation (how secrets work, adding permissions to the AT). I would start by taking a look at our docs.
https://auth0.com/docs/get-started/apis/enable-role-based-access-control-for-apis
Rules would have had the same issues with the management API rate limits. Management API calls from rules are still subject to rate limits.