Permissions in Access Token


I am trying to implement an RBAC solution for our users.
I am currently trying to understand how our servers (microservices) should handle users, and I have a few questions. Ideally, I would like the Access Token to hold as much of the user info as makes sense so every service wouldn’t have to query for the user info (which would add latency), but I can’t seem to be able to do that. so with that said, here are my questions:

  1. If I am using an obfuscated Access Token, should every service validate and get the user details from Auth0?
  2. If I am adding an audience field to the authentication, I saw that I am getting a JWT Access token, which I think would be better, but I don’t get how I can add custom claims to it… can I?
  3. In the JWT Access Token, I understand the scopes claim and the aud claim, but what is the permissions claim? can I use it for what I want?


Hello @tomer.a,

You are correct. If you do not include an audience, you will get an opaque token, and if you include an audience, you will get a JWT. You can certainly add custom claims to your access tokens (and ID tokens). The documentation is below:

1 Like

Is it common/considered a good practice to add these claims for RBAC to the Access Token?

Absolutely! We add a user’s assigned roles to our tokens as custom claims using a rule.

You can roll your own solution here, but Auth0 has a couple RBAC solutions that may be of interest:

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.