This is what I found when working with SPA and API’s:
Basically enable RBAC and “Add Permissions in the Access Token”.