SPA + Permissions

This is what I found when working with SPA and API’s:

Basically enable RBAC and “Add Permissions in the Access Token”.