What is the recommended approach to allow access to only users who have paid for a valid subscription?
A good approach for this use case would be through using Role-based access control (RBAC). This feature refers to the idea of assigning permissions to users based on their role within an organization, and offers a simple, manageable approach to access management that is less prone to error than assigning permissions to users individually.
By creating a role for paid subscribers and adding permissions to that role, applications can be configured to deny access unless a user has the correct role/permissions. Upon login Auth0 authenticates and authorizes the user and includes the permissions in the returned Access Token. Then, the application can inspects the token to learn what access this user can have.
Another fallback option to RBAC could be with user based metadata. For each subscriber, have an app_metadata value like subscriber=true. When someone takes out a valid subscription, make a call to the /patch-users-by-id endpoint of the Management API and set the metadata value.
To block access to applications for users that do not have the metadata value, use a Post Login Action and api.access.deny(). An example of blocking access can be found here:
The Action can be created in the Auth0 dashboard and configured to look for the metadata value and deny access if it does not exist.