I followed this guide to enable RBAC for my API (Enable Role-Based Access Control for APIs). In the API I have both toggles enabled, I saved everything, I even relogged to try to see if the changes are persistent and I am safe to say, that those two toggles are active.
I also added a role called “Test”, with a permission “read:test” and a user “test2@test.com” (sorry if you own this mail). When I authenticate this user, I get my access token, but the “read:test” under the permission claim is missing. Just to clarify: The token was requested after the changes.
In your decoded token payload, I noticed that the aud claim references your Auth0 Management API. But in your earlier screenshots, you are trying to get permission for a role defined in your custom API, not the Management API.
In this case, you’ll want to make sure that you pass in your custom API identifier as the audience in your login request to get the read:test permission.