Express Node Inefficient Scopes

I am following the quickstart guide here:

const express = require('express');
const app = express();
const jwt = require('express-jwt');
const jwtAuthz = require('express-jwt-authz');
const jwksRsa = require('jwks-rsa');
var port = process.env.PORT || 9090;

const checkJwt = jwt({
  secret: jwksRsa.expressJwtSecret({
    cache: true,
    rateLimit: true,
    jwksRequestsPerMinute: 5,
    jwksUri: ``

  audience: 'https://favorites/api',
  issuer: '',
  algorithms: ['RS256']

app.get('/api/public', function(req, res) {
    message: 'Hello from a public endpoint! You don\'t need to be authenticated to see this.'

app.get('/api/private', checkJwt, function(req, res) {
    message: 'Hello from a private endpoint! You need to be authenticated to see this.'

//check permissions rather than scope in access token
var options = {
    customScopeKey: 'permissions'

const checkScopes = jwtAuthz([ 'add:favorites', 'read:favorites' ]);

app.get('/api/private-scoped', checkJwt, checkScopes, function(req, res) {
    message: 'Hello from a private endpoint! You need to be authenticated and have a scope of read:messages to see this.'


I added permissions, then created roles and then assigned those roles to my users.

I see multiple people ask these questions and either get workarounds or no solution. I think this is the largest issue with scope’s example:

**1. I can’t get the Test tab to include scopes or to act a user to see if scopes work. **

2. I can’t easily get an access token with scopes in Postman to test either

3. I can’t tell if my access token has a scope attached to it (possibly create some web tool to show scopes)

4. What’s really missing is any screenshots about setting up Scopes and Permissions in my API settings

Alright so I figured out how to access in Postman. Under the Application there is Adv Settings and I had to okay Authorization Code.

Took me awhile to find but this screenshot def helped:

Here’s another helpful resource:

However, trying to find the public and perm cert for my application using RS256 seems problematic once again.

Alright I solved it!

This is how private scoped endpoints work!

You need to install the extension Authorization Extension! This allows RBAC control and adds permissions/scopes to the Access Token!

Once installed should return any configured permissions and roles!

So to do this:

  1. Go to your tenant
  2. Go to extensions on the left side
  3. Find Auth0 Authorization
  4. Install

Should work now!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.