How permission and scope interact with my custom API, Auth0 Management API, and my client?

Hi, I’m totally new to Auth0 and authentication.

I’d like to ask is there anyone or any good resource that can explain how permission and scope interact with my custom API, Auth0 Management API, and my client?
I feel it’s an extremely basic question and I’ve tried to read some documentation in Auth0 and community but still can’t figure out the answer.

To be more specific, I’m not sure are permission and scope act like a verbal agreement and my custom API will check if the scope name provided my client matches the API’s permission?
In other words, can I set whatever permission name I want (e.g. create:bughaha), as long as my react provides the corresponding scope name (e.g. provide “create:bughaha” when I try to get the access token) then that client has the authority to use my /api/v2/?

I’m sorry that the question is blurred but this is the best I can do so far.
Any help would be greatly appreciated.

Hi JT,

Welcome to the Auth0 community!

To be more specific, I’m not sure are permission and scope act like a verbal agreement and my custom API will check if the scope name provided my client matches the API’s permission?
In other words, can I set whatever permission name I want (e.g. create:bughaha), as long as my react provides the corresponding scope name (e.g. provide “create:bughaha” when I try to get the access token) then that client has the authority to use my /api/v2/?

Can you explain how the Management API is related to your Custom API and client?

You can just think of the Management API as any other API, with an audience of https://{tenant-name}.auth0.com/api/v2/ and a proprietary list of scopes.

Hi, thank you for the prompt reply.

I’m not sure but I think my Auth0 Management API only related to my React. Custom API seems like an independent thing.
I’m using @auth0/auth0-react and started with the Single Page Application.
I also installed Auth0 Authorization 2.8 extension, not sure if that changes anything.

This document describes the Auth0 Management API, which is meant to be used by back-end servers or trusted parties performing administrative tasks. Generally speaking, anything that can be done through the Auth0 dashboard (and more) can also be done through this API.

Your reply reminds me of this paragraph in the documentation. So my understanding so far is like this:


There’s no general place for all permission. Whenever I want to do some action, I need to go through these steps.

Step 1: I need to know what kind of action I want to do in order to get the right accessToken: I need to get token from Auth0 Management API if I want to CRUD user, or I need to get token from Custom API if I want to CRUD any other database that doesn’t exist in Auth0. So basically Auth0 Management API and Custom API will never communicate with each other since they’re responsible for different databases.
The accessToken I get in this step will include all permissions of the current user. (I assume this since I tried to send an empty string with getAccessTokenSilently and I still got every permission)

Step 2: I have to send the accessToken back to API to make sure the current user has the permission to do the action. The way that API verifies the user is by using scope and permission.
I guess how API uses scope and permission is it simply compare them. If the string matches the permission/scope, that means the current user can do this action.
I got a problem here is: I thought that scope should be passed along with the request for API to check, but I didn’t see it in the quick start example, which confused me how should API verify the user’s permission.

Step 3: Once the current pass the permission check, for Auth0 Management API, it’ll do the action by itself, for Custom API, I’ll have to deal with the database somewhere in my project, like server.js or somewhere else.