New Permissions added to role not updating

As the title says, I’ve got perms attributed to a role and a user with that role but when I retrieve the user the are not showing:

  "": [
    "Admin (Designs)",
    "Admin Shop"
  "": {
    "admin": false
  "": {},
  "": [
  "given_name": "James",
  "family_name": "Sherry",
  "nickname": "james.sherry",
  "name": "James Sherry",
  "picture": "",
  "locale": "en-GB",
  "updated_at": "2023-11-22T00:53:37.861Z",
  "email": "",
  "email_verified": true,
  "sub": "google-oauth2|11347         759809880",
  "sid": "5OWnhZ_HexIIVYkZ1c1jxa1TeMqFHt8"

I’ve logged in and out multiple times and in different browsers; I’ve tried making a request for a refresh token and got back new tokens successfully and then re-authing but to no avail. (The role is also not present in the Management API explorer.)

Really not sure how to prod the system to make it look again…

Any help greatly appreciated!

Hmmm. Just noticed there are 50 perms there. I looked at limits and it told me there was 1000 perms per user (Entity Limit Policy). Is there a limit? Or is the retrieval paginated?

And then I noticed this: Auth0 only allows me to have 100 permissions per user - #4 by ayan.sen :roll_eyes:

OK, so actually in the example I copied for an action it was set to 50. Turns out the max you can have is 100.

const auth0 = require('auth0'); // 4.1.0

exports.onExecutePostLogin = async (event, api) => {
  const namespace = '';

  const { user } = event

  const { ManagementClient } = auth0;

   const management = new ManagementClient({
    clientId: event.secrets.client_id,
    clientSecret: event.secrets.client_secret,
    domain: event.secrets.domain

  const params = { 
   id: user.user_id, 
   page: 0, 
   per_page: 100,  // <-- HERE
   include_totals: true,

  try {
     const {
       data: {
     } = await management.users.getPermissions(params);

     const permissionsArr = => {
      return permission.permission_name;

    api?.idToken?.setCustomClaim?.(`${namespace}/permissions`, permissionsArr);
    api?.accessToken?.setCustomClaim?.(`${namespace}/permissions`, permissionsArr);
  } catch (err) {
    return api.access.deny(err.message);

  • Can someone from Auth0 explain what you’re to do if there’s that?
  • Can you make repeated calls from the client? If so, how? (Just increment page number until array empty? Or is there a flag to show ‘no more results’?)
  • Also, can you cache these in any way to speed things up and avoid going over limits?