Getting user token to access domain APIs


I was wondering that is is possible with Auth0 API’s to get a new token with user information in it.
Currently we have an web application that uses the Lock login screen hosted by Auth0 that an user uses to login.
After login, a JWT token is retrieved and we get the user info. However we need a JWT token for that user to authenticate on the other API (not third-party), without entering the email and password again.
And even more; it should be possible to add some sort of additional metadata in that token. The metadata (or claims) will contain specific permissions that the user might have on the other API. Scopes are not sufficient as we need to add ID’s of resources to the token.


    "given_name": "John",
    "family_name": "Doe",
    "custom_access_to_countries": [ "nl", "de", "be" ]

The API should then let the user access all countries that are in that custom claim.

Thank you,

You can add any claims you like to your tokens using rules and hooks. E.g. store your countries list in app_metadata and something like:

function (user, context, callback) {
  if (user.app_metadata.allowed_countries) {
    context.accessToken['https://your.namespace.thing/allowed_countries'] = user.app_metadata.allowed_countries; 
  callback(null, user, context);


does this mean that I need to add all permissions to the users in Auth0 itself? Or can it add to the permissions dynamically at sign-in.

The thing is that the permissions are configured in the web application. It is too complex to add it to Auth0 as it contains multiple dimensions that together is one permission. Best is to update the token when doing a request to the third party service and only add the permissions that are needed for that request.

A single permission contains three ID’s and every combination of different ID’s is a new permission. As you can understand, that will become a quite large dataset if all needs to be added as sign-in.

Is there a way forward for this?

Thank you,

This is stretching my expertise a bit, but it is possible to add attributes dynamically with rules and hooks. You still need some way for the rule or hook to know what attributes to add though. For example, you can have a rule that says “If the user is logging in via client_id ABC, add the following claim”.

If you are retrieving permissions info from your app, your app is essentially now functioning as an Identity Provider. So you would need a rule or hook that connects to your app to ask “what are this user’s permissions”, and then add that claim. Essentially you need a “permissions API”.