@swilks RBAC is associated with a custom API, but access tokens issued to custom API’s can be issued as part of end-user authentication flows or client credentials so client credentials and in particular the fact that client credentials require a developer pro subscription should not constrain the possibility to use the RBAC feature set as the end-user authentication flows where this would be applicable can be used across all subscriptions.
The flow would be something like:
- end-user accesses application.
- application initiated an authentication request and also specifies to the Auth0 tenant that it requires an access token for a custom API.
- end-user authenticates and provides consent if applicable.
- the RBAC feature set if enabled is taken in consideration during the process to issue the access token.
- an authentication response (tokens) is delivered to the application.
- application makes use of those tokens.
In the above flow client credentials were never required and in addition, even though client credentials are limited to some subscriptions every subscription type will be able to do some tests with it, hence the automatic generation of the machine to machine application. As long as the usage of client credentials is below a reasonable threshold you won’t get any notifications (I think at this time, a few hundred client credentials call per month will be allowed as part of trying the functionality).