Getting user roles from my API

I have an Angular Client as Frontend and a Cloudflare backend API.
I understand that I need to set the Application as Single Page and therefore the bearer authorization in the API request headers is not a JWT token you can validate but an opaque token: you need to call a user profile endpoint where the authorization token can be decoded into a readable json.
See also my post on cloudflare community.
And it’s also my understanding that if I call the user profile endpoint with that bearer I can’t retrieve the roles - unless I set them through a specific rule via metadata, but also in that case they are not read from the roles assigned to the user in the Auth0 User Management but simply written by the rule code with some custom derivation e.g. from the user email, so it is a really different/separate thing.

In conclusion it seems to me that the only option I have to retrieve the roles from the user id is configuring a management api ‘api/v2/users/’ + userid + ‘/roles’ with minimal permissions to check it.

Am I correct or is there a better way to retrieve the roles from Cloudflare Worker API without any access to the management API ?

I guess the typical scenario (in the tutorials and the docs about role protection) is to associate roles, hence, permissions, i.e. scopes, to API access token - that are jwt verifiable - and not to user id tokens - that are opaque (therefore not verifiable, aside from the management API or from metadata set by custom rules).

Is it correct? And why is it so? I miss the big picture of the authorization architecture…

Well, AFAICS, I would answer that it’s a 3 layers architecture:
the user logs in a frontend calling an application logic API with an opaque user id token and the application logic API, with its own jwt token, changes something by calling in turn a persistence API: the latter API can finally verify the caller UI API token (representing the operation to be saved) and possibly also the original user token (if it is forwarded as the author of the operation) in a machine to machine connection…