Yes, the scope property will be included always. Any setting changes you make should take effect right away.
You may need to set the token dialect so that the user permissions are added as a claim to the Access Token.
To do this, you can go to APIs > Auth0 Management API in your dashboard and select the API Explorer tab and copy the test Access Token.
Then go to Auth0 Management API v2 and click TRY to get the ID of your API.
Finally, update the token dialect by going to Auth0 Management API v2 and send the ID of the API and the token dialect setting:
{
"token_dialect": "access_token_authz"
}
The decoded Access Token should look like this:
{
"iss": "https://your-domain.us.auth0.com/",
"sub": "google-oauth2|123456789",
"aud": [
"https://test.com",
"https://your-domain.us.auth0.com/userinfo"
],
"iat": 1616425103,
"exp": 1616511503,
"azp": "pOW4Xrkst9wHmCJuoBn80DGPHB7IQd2I",
"scope": "openid profile email",
"permissions": [
"read:messages",
"write:something"
]
}
The user’s permissions are added to the permissions claim ^