RBAC: Permissions not added to the Access Token, after enabling


I followed this guide to enable RBAC for my API (Enable Role-Based Access Control for APIs). In the API I have both toggles enabled, I saved everything, I even relogged to try to see if the changes are persistent and I am safe to say, that those two toggles are active.

I also added a role called “Test”, with a permission “read:test” and a user “test2@test.com” (sorry if you own this mail). When I authenticate this user, I get my access token, but the “read:test” under the permission claim is missing. Just to clarify: The token was requested after the changes.

Is there anything, I need to do additionally for this to work?

Thank you.

Hi @dZign,

Welcome to the Auth0 Community!

In your decoded token payload, I noticed that the aud claim references your Auth0 Management API. But in your earlier screenshots, you are trying to get permission for a role defined in your custom API, not the Management API.

In this case, you’ll want to make sure that you pass in your custom API identifier as the audience in your login request to get the read:test permission.

Let me know how this goes for you.


Hello Rueben,

thank you so much for your quick reply. Yes, this was exactly my issue. I changed the audience and it worked out of the box.


1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.