RBAC and Plans and which method


fairly new to Auth0 with some general questions.

  1. Do i get it right that i can only use RBAC (core or extension) via non-starter Plans? If so, why can i access everything in the management console?

  2. I read in the docs that “Authorization Core” is prefered over “Authorization Extension”. Is this correct?

  3. When using “Authorization Core”, there needs to be an API with permission and roles and when granting an application access to it, i cant select my previously created SPA Application but need to use a new machine-to-machine application. Do i need to use this M2M Application also in my React application then as a login mechanism? This feels weird.

Thanks for infos.

Regarding 3)

In the API → Application grants its stated:
“Single Page and Native apps do not require further configuration. SPAs can execute the Implicit Grant to access APIs while Native Apps can do Authorize Code with PKCE for the same purpose.”

So i assume no action is needed there and the SPA has access to the API roles/perms. Then i rephrase my question 3 to the following:

  1. how can i access those Roles / Permissions in the React application. Or do i need also custom Rules for the “Authorization Core” feature to have this working?

I think i got it to work with a custom Action which puts the Roles from RBAC into the user token. Still unsure why the docs state that this is only possible with non-starter plan.

Adding a default Role after registration is explained here:

Is this the current way of doing this? Think that “Actions” are now the way to go isnt it? Help on this one much apreciated.