PKCE flow grant Access Token without any permissions granted for endpoint

I’m using postman for authentication against our API’s. I have setup postman to be using PKCE flow and authentication with my own user (Azure AD user) in order to get a bearer token for the API.

My problem is that with this flow I can get a bearer token for any of the API’s configured in Auth0 with any of the available scopes. This without any permissions has been granted in Auth0 for my user. After the completion of the flow the API’s audience shows up under authorized applications.

How can it be that I can get a token for any existing API’s without having granted any permissions for my user nor the client for which the PKCE flow is configured?

Postman config:


Auth0 Client Config

  "is_token_endpoint_ip_header_trusted": false,
  "name": "somename",
  "is_first_party": true,
  "oidc_conformant": true,
  "sso_disabled": false,
  "cross_origin_auth": false,
  "refresh_token": {
    "expiration_type": "non-expiring",
    "idle_token_lifetime": 1296000,
    "infinite_idle_token_lifetime": true,
    "infinite_token_lifetime": true,
    "leeway": 0,
    "token_lifetime": 2592000,
    "rotation_type": "non-rotating"
  "allowed_clients": [],
  "allowed_logout_urls": [

  "callbacks": [
  "native_social_login": {
    "apple": {
      "enabled": false
    "facebook": {
      "enabled": false
  "logo_uri": "somelogo",
  "jwt_configuration": {
    "alg": "RS256",
    "lifetime_in_seconds": 36000,
    "secret_encoded": false
  "client_aliases": [],
  "token_endpoint_auth_method": "none",
  "app_type": "spa",
  "grant_types": [
  "web_origins": [
  "custom_login_page_on": true

I get only two log entries: