Hi @rueben.tiow,
I am working closely with @soon.hongooi on this. We acknowledge that we are using RBAC and enabling the Add permissions to Access Token setting. We are able to get the permissions in the access token. We need these permissions to drive certain behaviour of the Frontend (e.g. show/hide buttons and pages). We also acknowledge that it is not recommended to decode the access token in the Frontend, therefore we setup a custom action which uses the Management API to retrieve the permissions and set them in the ID Token. We acknowledge the rate limit of calling the Management API, we are aware of this issue, and we think that this is not related to the HTTP 403 as this not happen for any user at any time (as rate limit is not hit). Is there a way to get this sorted out? Thanks.