I am wanting to enable my customers to log into my portal and then create an API token, very similar to what Auth0 does for it’s own management api (https://auth0.com/docs/api/management/v2/get-access-tokens-for-test#get-access-tokens-manually). The access token created would have a subset of the permissions that the user is allowed to perform. Are there any resources that exist on this topic? Everything I have come across is a few years old and does not enable this particular workflow.
Sorry for the delay, if this is still relevant to you, you can find documentation on how to use the different authorization flows with Auth0 registered APIs here, and specify the scopes that are required for the API audience: https://auth0.com/docs/api-auth
You would need to take the resulting access token and provide it to the user in some way if you wanted the same functionality as the test Management API token does in the dashboard, i.e. for them to construct their own calls with the token in their headers.
You can also use our Authorization Core feature to allow for Role-Based Access Control on your APIs and control the scopes available to users that way (https://auth0.com/docs/dashboard/guides/apis/enable-rbac)
Alternatively, you can have a backend carry out the API calls on behalf of an authenticated user, and limit these backend applications in the scopes they can use (https://auth0.com/docs/flows/guides/client-credentials/call-api-client-credentials)