Auth0 Home Blog Docs

Updating permissions in the access token



We are building a multi-tenant platform using a microservices architecture. There is an SPA for the front end, and many APIs behind an API gateway that serve as the backend.

We chose to store permissions in the access token, to avoid having to check them in every API call. So if an API receives a request, and the token is verified (signature and expiration), it assumes that the user has the permissions stored in the token.

The issue that we are facing concerns permission changes. If I add or remove a role from a user, it will not take effect until the client app refreshes the token using silent authentication.

We thought about setting a short expiration time and refresh the token every 10 minutes or so, but we would rather not have to wait so long for permission changes to be applied.

Another alternative would be send a signal to the SPA that would cause it to refresh the token right away. This signal could be sent on any API call, or by periodically polling a dedicated endpoint.

Is there a recommended way to deal with this issue?


We are looking at a similar setup. In our case we are also considering having the gateway be responsible for obtaining permissions for the called API and caching them for a certain time, but that does not address your concern.

I would also be very interested in recommendations on this topic.