Can't get RBAC permissions from the access token payload


I am making a frontend that consumes an API protected by Auth0. I have successfully implemented a public path and a private (login protected) path for my API.

Now I would like to implement RBAC for my test user and for this I have observed the steps described in the how-to, namely:

  1. Register the API
  2. Define permissions
  3. Create roles
  4. Assign roles/permissions to my test user

Then finally I enabled the RBAC on my API as per this documentation. Now when I go check in my backend the access token payload I received from Auth0, I don’t have a permissions field for the user. Rather I am getting this:

  "nickname": "martin5",
  "name": "<obfuscated>",
  "picture": "",
  "updated_at": "2020-03-19T19:37:28.735Z",
  "email": "<obfuscated>",
  "email_verified": true,
  "iss": "https://<obfuscated>",
  "sub": "auth0|5dbc8ddb33c5e20d81912e99",
  "aud": "PyNVW4rk2eBKt10tnD3J8APuVfUZ4nO3",
  "iat": 1584646648,
  "exp": 1584682648,
  "at_hash": "Dbn7HuZXHkBnovI9pHWMkg",
  "nonce": "PEUnxeuDPo0Znj2e7XNDU5sYvmTaX_0D"

What have I missed out?



PS: Technically my backend is a python serverless lambda infrastructure with a custom authorizer, my front-end is a plain html, css, javascript (no React, Vue, Express, Angular…), and the library I am using to authenticate is lock (

Hi @martin5,

Welcome to the Community!

Can you confirm that you toggled on the Add Permissions in the Access Token setting and saved afterwards? I just tested this to confirm, and you should just have to add the custom API as the audience, add the permission to the role, and the role to the user, then you should get an access token with the respective permissions.

Also, the aud claim is typically the identifier uri of your API, it looks like you may have used the id.

Let me know if either of those solve it,

Hi Dan,

Thank you for pointing me to the actual problem: yes when I instanciated auth0Lock I did not indicate the audience , so indeed, where was auth0 going to get the permissions from?!

This said and FYI, when I looked at the lock configuration doc it indicates that the audience parameter belongs to the auth object, however, while I did this it did not work. I had to find this forum post and set the audience field under the params property of the auth object to get my RBAC. This is not documented. Is the documentation wrong? Is my use case rare?

In any case, thank you very much, this was a life saver!


1 Like

Thanks for the follow up! Can you post an example so I can see what you mean?


Hi @dan.woda,

I just had contradicting information and the unofficial information is the one that worked for me.

on Lock Configuration Options I have:

var options = {
  auth: {
    audience: 'https://YOUR_DOMAIN/userinfo',

whereas on Audience with embedded Lock as Popup - #3 by zatziky I used the following signature that worked instead of the one above:

const lock = new Auth0Lock(clientId, domain, {
    oidcConformant: true,
    autoclose: true, 
    auth: {
      sso: false,
      responseType: 'token id_token',
      redirectUri: process.env.AUTH0_REDIRECT_URI,
      params: {
        audience: ''


Interesting, thanks for following up with that. I’ll pass the info along!

Adding additional data to Access Tokens in Auth0 isn’t as difficult as their documentation would have you believe.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.