Assistance Required: Permissions Missing in Access Token for Custom API in Auth0


I’m facing a peculiar issue with Auth0 where the permissions are not being included in the access token for a custom API, despite the permissions being properly set up, and RBAC settings including “Add Permissions in the Access Token” being enabled. Interestingly, this issue does not occur with the default Auth0 API, where permissions are correctly included in the access token.

Here’s a more detailed breakdown:

  • Context: When using the default Auth0 API, permissions are correctly reflected in the access token. However, for my custom API, the permissions array in the access token is empty.
  • Configuration Checks: For my custom API, I’ve ensured that RBAC is enabled, and the “Add Permissions in the Access Token” toggle is on. Permissions are defined and exist within the API settings.
  • Testing Methods: I’ve tested this behavior in several ways:
    • Using PHP to decode the token.
    • Directly on the API’s test tab on the Auth0 website.
    • Through to decode and inspect the access token.
  • Observations:
    • For the default API, permissions show up as expected in the access token.
    • For the custom API, despite similar configurations and the existence of permissions, the permissions array is empty in the access token.

This has left me puzzled, as the only significant difference between the two scenarios is whether the API is the default one provided by Auth0 or a custom one created by me. Yet, the permissions seem to be handled differently.

Could someone guide me on what might be missing or incorrectly configured for my custom API? Why would permissions appear in the access token for the default API but not for my custom API, despite seemingly identical settings? Any insights, advice, or steps I could follow to resolve this would be greatly appreciated.

Thank you for your time and help!

Hi @smoriggi,

Welcome to the Auth0 Community!

Could you clarify if you included your audience in your login request?