Auth0 provides a lot of flexibility so there’s probably more than one way to handle this. The basic model that immediately comes to mind is:
- User tries to access Resource_A,
- Auth0 authenticates the user,
- After authentication one or more Auth0 Rules add authorized API scopes to the user’s ID and / or access token,
- Resource_A checks the token to see what scopes were authorized.
The actual flow is more complicated than this, but that is the gist. Use an ID token to grant access to an application. Use the access token to grant access to APIs. It is largely based on what data you include in your tokens, though you can also leverage the Auth0 management and / or authentication APIs directly as well.