is there a way to restrict an Auth0 application to only allow an action to call it. I setup an application so that is has permissions to update a users roles.
I am updating roles during authentication but only want the application to be available for the Action Flows
You should protect access to this application via the client credentials grant. Only the action will have the client ID/secret so only the action can successfully call the application.
Unfortunately, actions do not yet have a good caching mechanism for the M2M token, so you should use a rule for this, and cache the token in the rule configuration (until Actions come into parity with rules)