Auth0 JWT does not have permissions

Hello, we’re trying to use scopes for our application (PHP + Laravel framework) and the JWT returned by Auth0 doesn’t seem to have the requested permissions.

We did the following after installing the SDK:

  1. we created a custom API from the Auth0 panel
  2. enable RBAC and “Add Permissions in the Access Token”
  3. added roles and permissions to a couple of users
  4. added the audience

Plus in our code we have a class that extends \Auth0\Laravel\Contract\Auth\User\Repository and inside the fromSession method when we look at the response content (eg. the argument of the method) we does not have the “permissions” field.

In the .env file we defined also:

AUTH0_DOMAIN=our domain
AUTH0_CLIENT_ID=our client id
AUTH0_CLIENT_SECRET=our client secret
AUTH0_REDIRECT_URI=our redirect url

What we did wrong? :frowning:

Would appreciate any help or pointers in figuring this out.
Thanks in advance.

1 Like

Hi @DispatchCode,

Welcome to the Auth0 Community!

Can you please confirm you are looking at the access token for the permissions?


:wave: Depending on your implementation, you may need to configure your AUTH0_AUDIENCE to your custom API identifier as well. It doesn’t appear that is in your ENV file currently.


Thanks for the suggestion @evansims! :raised_hands:


Thanks for your feedback guys :slight_smile:

@dan.woda positive. What we expect is an array like:

  "permissions": [

But in the output there is none.

@evansims done! But it still don’t work. We have AUTH0_AUDIENCE and AUTH0_SCOPE as well, but the output dosen’t change.

Can you please share with us an example access token? You can omit any sensitive data.

First of all, excuse me for my delay.

I would like to do it @dan.woda but I don’t know how get it, due to the laravel implementation, but I can paste what we get from the method “fromSession” doing a dump of $user:

  "nickname" => "nickname"
  "name" => "Marco C"
  "picture" => picture url"
  "updated_at" => "2022-05-12T09:22:45.381Z"
  "email" => "mail_address"
  "email_verified" => true
  "iss" => "our url"
  "sub" => "auth0|key"
  "aud" => "aud_code"
  "iat" => 123456789
  "exp" => 123456789
  "nonce" => "nonce"

I’m pretty sure that we are doing something wrong with the Laravel implementation.

Just to clarify, I did the same process (authentication) using CURL as mentioned before, and after the /token call I get what I’m expected (token decoded from

  "iss": "https://url",
  "sub": "auth0|key",
  "aud": "https://oururl/api",
  "iat": 12355788,
  "exp": 12355788,
  "azp": "hash",
  "scope": "viewall:categories",
  "permissions": [

How can we get souch informations?

Thanks for your support!

I almost forgot. After some search few days ago I found this Sample Use Cases: Scopes and Claims
It could be an option or it would be a wrong way to get such informations?

This is a dump of the ID Token, which does not include permissions for the user.

This is the Access Token, which includes permission info.

It looks like you will need the find this information in the Access Token.

1 Like

Hey again @DispatchCode :wave: It sounds like you might be using the PHP SDK for authentication rather than authorization, in which case this might not work the way you’re expecting as you’re working with ID rather than Access Tokens. This is a super common misunderstanding, and I don’t blame anyone for getting confused with this stuff! There’s a good post on our blog about the differences here: ID Token and Access Token: What Is the Difference?

For what you’re looking to do, you might want to consider injecting the permissions into your ID Tokens. I believe someone contributed a rule for this a while back that might help you, although admittedly, I have not tried it myself and your mileage may vary: Accessing the permissions array in the access token - #10 by ryantomaselli


Thanks for the added context @evansims!

@DispatchCode If you are planning on using that rule, be aware of the Management API Endpoint Rate Limits. Depending on how many logins you are processing, you could run into this rate limit and that could break your login flow.

Let us know if you have any other questions. Thanks!


Thanks @dan.woda I always forget to mention that side of things, whoops!

Going back to the Access Token, I forgot to mention you should be able to access that Token from an authenticated session using the Auth0\SDK\Auth0::getAccessToken() method, but it is the token in it’s “raw” JWT format — it isn’t decoded like the ID Token is for you. You should be able to run it through the Auth0\SDK\Auth0::decode() method to get to the data you’re looking for, though. More on that here: GitHub - auth0/auth0-PHP: PHP SDK for Auth0 Authentication and Management APIs.


Thanks @dan.woda and @evansims, your answers has been very helpful! Also thank you for the links given, I suspect that they’re wiil be helpful.

Looking to the source code of the Auth0 Laravel SDK and PHP-SDK and the snipped provided by evanism, I finally figoured out how get permissions.
For those who are interested in it, this is what I did, with a little “write up”:

$auth0Sdk = app('auth0')->getSdk();
$parse = new Parser($auth0Sdk->getAccessToken(), $auth0Sdk->configuration());

Here app('auth0')->getSdk(); returns an SdkConfiguration instance that will be used later as an argument for the Parse constructor; the other argument is the JWT token mentioned by dan.woda and evansims.

If you don’t use Parse but instead you call the decode method:

$auth0Token = $auth0Sdk->decode($auth0Sdk->getAccessToken());

You will get an instance of Token that has a “parse” private member. Apparently there is no way to get the Parse instance inside it.

If you create an instance of Parse like shown before, internally (in the constructor), the parse method will be called and the token will be decoded.

The output will be:

^ array:3 [▼
  0 => "create:articles"
  1 => "read:admin-messages"
  2 => "viewall:categories"

Simpler that I could even imagine!

I hope this can help someone in the same situations around here.

Thanks for your support :slight_smile: you can close that topic.