Hello @jquerijero,
Welcome back to the Auth0 community!
What @Fario_Consulting explained above is right. Adding permissions to the Access Token is a good approach that doesn’t bring security issues.
Additional to the link shared above i suggest taking a look at the following resources regarding scopes and permissions:
I hope this was useful and if you have more questions don’t hesitate coming back to the community.
Thanks,
Tudor