Best practice for role-based or permission-based authorization in a React SPA

I’m using Auth0 with a React single-page application.
I need to implement authorization logic at the frontend level — for example, hiding certain routes or UI elements depending on what the user is allowed to do (e.g., only admins can access an admin dashboard).
I see a few possible approaches:
Include user roles as a custom claim in the ID or access token via an Auth0 Post-Login Action (I’ve read that Auth0 provides this option). Then, check the roles in the React app.
Instead of roles, rely on the permissions claim that Auth0 automatically adds to the access token when RBAC is enabled (“Add permissions in the Access Token” option).
Dynamically retrieve roles or permissions from the Auth0 Management API (though I know this isn’t recommended directly from the browser).
I’ve read that tokens generally shouldn’t expose too much authorization data, and I’m trying to understand what’s considered a best practice for SPAs.

For frontend-only route visibility (not API enforcement), should I rely on roles in the token (via a Post-Login Action), on permissions in the token (via RBAC), or is there a more secure/recommended way to handle client-side authorization in a React SPA using Auth0?

Thanks!

Hi @ale.sassi

Welcome to the Auth0 Community!

Thank you for posting your question. Your best bet is to use the Auth0 RBAC inside the API setting, with the addition of adding the permission to the access token in the API RBAC setting. This way, users who have been assigned a specific role will automatically receive the permission during access token retrieval.

1. Here’s a guide on how to add permissions to API → Add API Permissions

2. Access Token validation → Validate Access Tokens

3. Protecting a route with a claims check → auth0-react/EXAMPLES.md at main · auth0/auth0-react · GitHub

Thank you and let me know if you have additional questions
Dawid