Permissions from event.authorization.permissions become empty in custom JWT generated inside Post Login Action

usha78633 · May 25, 2026, 4:38am

I am using a Post Login Action in Auth0 to generate a custom PAT JWT using jsonwebtoken.sign().

RBAC is enabled and “Add Permissions in Access Token” is enabled for my API.

The Auth0-issued access token correctly contains:

"permissions": [
  "users:create",
  "users:delete",
  "users:read",
  "users:update"
]

I am also passing the API audience during login.

Inside the Action, I read permissions using:

const permissions =
  event.authorization?.permissions || [];

However, after generating my custom JWT:

const payload = {
  permissions
};

the generated PAT contains:

"permissions": []

Other fields in the payload are preserved correctly.

Is there any known limitation, issue, or mutation behavior in Auth0 Actions when signing custom JWTs using jsonwebtoken?

Topic		Replies	Views
JWT permissions empty Get Help	2	1986	December 22, 2022
Permissions in JWT always empty Get Help jwt	2	3321	June 28, 2021
JWT token is "invalid signature"? Get Help login-experience , new-universal-login-experience	19	62182	May 29, 2023
Post Login Action - Claims Missing in JWT Get Help extensions , auth0-authorization	3	199	January 28, 2025
Injecting permissions into JWT token using Auth0 rules Get Help jwt , rules , auth0-rules	2	3548	January 8, 2024