Thanks @tyf.
This is the primary thing I’m trying to avoid. The frontend is supposed to treat the access token as an opaque string and shouldn’t try to decode it:
Respecting this, if I want to access the permissions that are on the access token, I would have to make an extra call to my server API so that the server can decode the access token and return the permissions from it.
Also, if the permissions are in the access token, it means they would be sent to the server on every request to the server when they aren’t actually needed by the server at all. They’re only needed by the SPA.
It seems like it would be much more appropriate and simpler to just add the permissions to the identity token, which is intended for the SPA to use, but I don’t see a feasible way to accomplish this with Auth0.