Auth0 Home Blog Docs

Associating access token to customer account

What is the typical best practice for associating a user with a customer account. For example, when the user logs in, they get back the access token. Within that access token, it will have scopes such as crud:calendar. While i trust that this user has permission to now perform CRUD operations on the calendar, I only want to allow them to perform CRUD operations on the calendar that is associated to their account.

What would be the general best practice for doing this? I could add customer account id to the scopeā€¦But I want to get what the general best practice would be.

For an access token issued as part of an end-user authentication flow the sub claim contained by default will have the user identifier of the relevant user so you can use that information to track user-specific resources.

The value on the sub maps to the user_id within the user profile so the reference docs for user identifier also apply to this scenario (