Hi @Luukth
Sorry for the delay in the response. Let me try to address some of your doubts
The express API checks for permissions in the scope. Not in the access token permissions.
You can specify the customScopeKey option to use the permissions claim instead of the scope.
The goal of having the permissions claim instead of the scope claim to perform authorization is for the cases you just need to know what permissions the user has in a given API and you don’t need to collect consent from the user (usually first party applications).
Is there a recommended way to also store the scope or permissions inside this object.
When defining the auth0 strategy using passport, you can specify a Verify Callback with signature accessToken, refreshToken, extraParams, profile, done) where you should be able to have the permissions and the user profile.
Regards,
Marcos