Thanks for confirming - You should be able to get permissions as a claim in the access token directly and therefore avoid the need to make a any extra API call.
It’s worth noting that it is common practice to infer roles from permissions - That is once you have permissions in a user’s access tokens it shouldn’t be necessary to also get the roles.
You can also add roles directly to the user’s access token or ID token as a custom claim by way of an Action:
exports.onExecutePostLogin = async (event, api) => {
const namespace = 'https://my-app.example.com';
if (event.authorization) {
api.accessToken.setCustomClaim(namespace, event.authorization.roles)
api.idToken.setCustomClaim(namespace, event.authorization.roles)
}
}