How to add permissions to the access token (Actions) [Edit]

Hello everyone,

It’s my first time using Auth0, and I need to add all permissions the user has to the access token.

I need it because the admin has the option to create roles with permissions in the application. But the functionality in the front-end needs to be different depending on user permissions, not user role.

The role is just a way to group the permissions and save time adding a new user to the system.

At the moment, I’ve created an Action with this code:

exports.onExecutePostLogin = async (event, api) => {

    const ManagementClient = require('auth0').ManagementClient;


    const management = new ManagementClient({

          domain: event.secrets.domain,

          clientId: event.secrets.clientId,

          clientSecret: event.secrets.clientSecret,



    const claimName  = 'http://roles/permissions';

    var params = {id: event.user.user_id};

    var p = await management.getUserPermissions(params);

      var permissionsArr = (n) {

      return n.permission_name;


    api.idToken.setCustomClaim(claimName, {"permissions": permissionsArr});

    api.accessToken.setCustomClaim(claimName, {"permissions": permissionsArr});


It works, but the claim is being added two times to the idToken, and probably the same is happening to the accessToken (not sure about this one).

Can anyone help me out?

I just learned that it must be “duplicated” the same happens when there’s more than one role assigned to the user.
I had no idea of that.

My only question now is how may I check the user permissions the same way with roles.

I am using Blazor, so for roles verification, I use this at the top of razor page:
@attribute [Authorize(Roles = "Admin")]

1 Like

Hi @MeloHenrique

Welcome to Auth0 Community !!!

It is a recommended practice to use roles as a medium of assigning permissions to users. In other words, avoid assigning permission directly to users but instead

Permissions → Roles → Users

This is how you can set roles. Add roles

Hope it helps



Thanks for your response.

I am assigning the role to the user.

But I want to change the functionality on the front-end based on the permissions. I have no idea how many roles the admin will create and what permissions each user role will have. I need to show or hide pages based on the user permissions. These permissions are based on the user role.

I am using Blazor, and I can make a page only show to a specific role using this line of code:
@attribute [Authorize(Roles = "Admin")]

But I need to make this verification to the user permissions.
When the user logs in, I am adding the user role and his permissions to the token. Now I just need to know how can I make the same role verification wich permissions.