I’m using the Authorization Extension v2.4 and am trying to get a calculated list of permissions for a given user. There doesn’t seem to be a GET /api/users/:id/permissions/calculate endpoint, so I am trying to use the /policy/ endpoint.
The docs give this example:
POST /api/users/47f6c924-b6b4-4f39-bd00-03d9c6248287/policy/7e814205-f320-42f8-a01b-e7144749977
I understand the first id is the user’s id, but what is the second? The only clue I found is that this is somehow related to a policy decision point (PDP), but googling the term brings up nothing.
In short, how do I get a calculated list of permissions for a given user and client without having to resort to an (n+1) query?
The endpoint description somewhat hints that the second parameter is likely to be related to the client application so we could assume that it would be the client identifier.
(…) This will return the user’s groups but also roles and permissions that apply to the current client.
(emphasis is mine)
That endpoint is also used by the rule that you can publish from the extension and checking the rule we can be sure that the first parameter is indeed the user identifier and the second parameter the client identifier.
function getPolicy(user, context, cb) {
request.post({
url: EXTENSION_URL + "/api/users/" + user.user_id + "/policy/" + context.clientID,
// ...
I had this same question. However, when using the clientID as the policy ID in the URL, I get a 404 not found error. I have verified that the rules and permissions are associated to the application that I am using the clientID for. I also know my userID parameter is correct since I have made other calls using it (req.user.profile._json.user_id - nodejs). Is there some other connection between the application (clientID) and the roles and permissions that needs to be set up? gilbertbgarza - did you get this working? Thanks guys!
I’m in the same situation. Using a clientID also gives me a 404.
@gilbertbgarza and @devteam are any of you by any chance performing the request as a GET? It should be a POST request and include at least the connection name in the body if I recall correctly. The reason I’m suggesting this is because since the route does not implement the HTTP GET verb than this would explain the 404.
The documentation is also a little fuzzy in that it just starts with the /api endpoint. This doesn’t mean https://{company}.auth0.com/api. You need to look for your API url under the Authorization Extension > API setting. Get there by selecting the Authorization section from the very left on the Dashboard. Then in the upper right, the drop down should have Configuration and API. Select API. Your URL is at the bottom.
Thanks for the response, as I’m sure others will find it useful 
I already have requests that are working for other URLs on the Authorization Extension API, so this is not my problem in particular.
Thanks jmangelo - strange it is a POST since I don’t think anything is actually getting created. I assumed the connectionName was the name of the application (as selected in the authz dashboard when creating roles and permissions)? That’s what I put in and it is now working - but actually I put in any value like “aaaa” and it works - so not clear on what the connectionName is for - unless that refers to the connections that are on the main dashboard (database, etc.). gilbertbgarza - I haven’t gotten any 401s with a key error - maybe your token is expired?
Adding a connectionName in the body worked (that should really be documented). However – although the response contains an array of groups, the array of roles and array of permissions are both empty. Is there another secret parameter I need to supply to get the calculated permissions?
I am getting roles and permissions - maybe you need to set your client to have the read:roles and read:permissions scopes for your client in the dashboard?
Thanks for the suggestion. The client does have full read access, though.