Hi @jonnyb , welcome in 2024!
After additional investigation I can tell that the role-based API permissions are intended to be present in the Access Token and with the Actions Script it’s possible to only enrich the ID token with Roles cliam.
One way that comes to my mind, if you need this data within the ID token, is to update the user’s app_metadata or user_metadata object with the API permissions and add a custom claim to the ID token containing this metadata (in a similar way you added the Roles claim).
This Management API endpoint lists user’s permissions (both assigned directly and ones that come from Role assignment) - Auth0 Management API v2
They are listed per the resource_server_identifier (your API identifier).
In the Actions script you can also refer to the event.resource_server object and try to use this identifier to extract only the relevant for the login context API permissions.
One of our community folks has tried to implement it using rules (soon deprecated) so maybe you can use it as a reference when building Actions script- Accessing the permissions array in the access token - #10 by ryantomaselli