I am a little confused on best practices in dealing with API permissions. I understand that in the API within Auth0, I can configure it to always attach the permissions claim to the access token. I am confused because I was under the understanding that the spec defines the scopes claim as the place to define a users permissions.
My objective is to have the permissions always included in the access token. I would think you ca achieve this with a rule to automatically add them (although it looks like 'permission’s is not an attribute on the user object). But I’m confused why Auth0 defaults/automates this as a claim rather than adding to scopes?