I have created an API and added scopes/permissions to it and allowed a machine-to-machine app to access it with all the permissions enabled. When I am trying to fetch the access_token via postman, the token I receive contains an empty permissions claim.
Both M2M and the API application is setup with all the required permissions.
Why does it return a token with an empty permissions list?
If you’re looking to include the “permissions” claim in your access token, there’s a specific API setting (Auth0 Dashboard > Applications > APIs > Your API) you will need to enable. Specifically, it is the Add Permission in the Access Token toggle.
First, please refer to the screenshot below that shows the toggle you need to enable:
That’s where it gets confusing. The RBAC is set up exactly as per the screenshot you have shared from the very beginning. This does add permissions claim to access_token but that is empty.