How exactly Rest API Authorization works using Core Authorization Library

We are using Auth0 for our User management. Now I am trying to use Authorization for our APIs. I read the documentation to enable RBAC

I understand from documentation, Auth0 API register, creation of Roles and permissions. assigning roles and permissions to users. But I fail to understand how it works end to end and how can I use it for role based authorization for my APIs.
I was hoping if someone could clear this confusion or guide me in the right documentation.


Hi @rkl,

Welcome to the Auth0 Community!

I would be happy to help with this. Could you give more context on what you would like to do or what the doc is not explaining?


Thank @dan.woda, for your reply.
I want to use auth0 for role based authorization of my APIs. After setting up roles, permissions etc. mentioned in the enable RBAC docs, how the authorization flow will work. Is Auth0 sufficient for simple Authorization or do I need to develop code at my end for checking roles of users accessing my APIs ?
And if Auth0 is sufficient, then how can I tell Auth0 which APIs to redirect after Authorization success.

I might be understanding it all wrong. Please help.


I think you have the right idea. You can use Rules to grant or deny access to certain applications. Take a look here for a brief example:

You can also add Roles to tokens and add your authorization logic that way:

Here is another relevant example of how RBAC and permissions work:

Hope this helps,

One additional question on this: I don’t understand what “enable RBAC” does by itself. I don’t see permissions (permissions assigned to a Role, Role assigned to user) in the access token until I also click “add permissions in the access token”


I think I need more context to understand the questions you are having. Where is the ‘enable RBAC’ you are referring to, and could you please expand on the permissions issue?


I believe I solved my issue, but please correct me if I’m wrong.

For one of our auth0 defined APIs I did the following:

  1. toggled “RBAC enabled” to on under the API settings
  2. added a custom permission/scope under this API

I then added this same permission to a Role, then added the Role to a User. When authenticating this user I expected to see the scope (defined in #2 above) in my accessToken. After a good day of playing with this I realized that I also needed to specify the same scope in my auth request (to /oauth/token) in the “scope” query param. The issue may be that I’m not grasping some fundamental oauth concept, but I was hoping the scope would come back in the accessToken regardless if I specified it in my request.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.