Custom Scope/Permission in Access Token from SPA (ReactJS)

I have setup a ReactJS SPA with a Python Flask backend. Both are registered via the auth0 dashboard and I was succesfully able to have a user login and authenticate with auth0 then request an access token from auth0 in order to access a private endpoint on my Flask api. Now, however, I am trying to implement custom scopes to the same api in addition to authentication.

An example is that I have a dashboard on the SPA which only users with the permission ‘admin:dashboard’ should be allowed to access. I added this custom permission to both the Flask app via the auth0 dashboard and to my user which I am using to test this. I then carry the same process as before by using getAccessTokenSilently but this time parsing ‘admin:dashboard’ into the scope parameter in addition to the audience. I then receive an access token back BUT when, I decode the JWT token, the ‘admin:dashboard’ permission is not there. Only ‘openid profile email offline_access’ is there just like before.

Can anyone help me understand where I am going wrong please? I basically need the access token to contain the custom permission IF the user who is requesting it has that permision assigned to them on auth0.


Hey @buzzpod, Welcome to the Auth0 Community!

Have you tried enabling the RBAC functionality for your Custom API?

Enabling RBAC and enabling the Add permissions in the access token, will evaluate the scope and permissions granted to user and provide the intersection of both in the access token as well in the form
of permissions.

Have a look and let me know how you go.