I feel things has been made complicated for nothing (you provides opaque tokens but do not offers any way to validate it), so i have created this feature request
Introspection endpoints should be available, and from that endpoint a way to get the assigned permissions in clear so that a proper routing can be made from 3rd party routers like API Gateway products.
Each “logical” API (group of apis having same security context) should have its own permission set. Roles are here to grant the specific permissions for specific APIs.
I take an extreme example here but if an application have to interact with 100 logical Auth0 APIs and therefore have to do the authentication process 100 times when a user log in to get a clear JWT Access Token per audience, it’s not productive and definitely not efficient.