Granular Scopes for Single-User Read vs. List/Bulk Export in Auth0 Management API

vsivasamy · February 15, 2026, 7:30am

Introduce least-privilege, granular scopes in the Auth0 Management API to separate:

Reading a single user by ID (most common operational need),
Listing users (enumeration),
Bulk retrieval/export (wide data exposure).

Today, read:users unlocks all of the above across different endpoints, which prevents secure delegation and violates least-privilege.

Current Behavior

The read:users scope allows:
- GET /api/v2/users/{id} (single user read),
- GET /api/v2/users (list/query across tenant),
- Bulk jobs and exports (directly or via dependent permissions),
- Access that is not constrained by connection (no built-in restriction to limit visibility to a specific connection/identity provider).
Result: If a team only needs to fetch one specific user, granting read:users also enables them to read all users via other endpoints.

Problem

No way to grant a minimal “read single user only” permission.
Enumeration and bulk export remain available through the same scope, expanding the blast radius.
No connection-based restriction (e.g., lock to conn=partner-users), making it impossible to enforce tenant segmentation policies in shared tenants.

This is not aligned with Least Privilege and Zero Trust and creates compliance risk in environments with 200k+ users and 500+ APIs/permissions.

Topic		Replies	Views
Minimum scopes for the Auth0 Management API Get Help	3	3551	December 23, 2021
Get a User API documentation Get Help	2	3054	December 11, 2019
Management API returns 403 when attempting to read users Get Help react , auth0-spa-js	3	11442	September 19, 2019
Angular User Management APIs - insufficient_scop for auth0-spa-js Get Help angular , users , auth0-spa-js	2	4573	August 14, 2019
Help using the Bulk User Export API Get Help	9	4537	March 31, 2022

Granular Scopes for Single-User Read vs. List/Bulk Export in Auth0 Management API

Problem

Related topics