What's best practice for managing users, roles and permissions in a web app?

Is it a common practice to sync users, roles and permissions to your web app’s database or do people tend to call Auth0 APIs directly as the source of truth?

Hi @larrybarry,

Welcome to the Auth0 Community!

You should call the Auth0 Management API directly to get the user’s roles and permissions.

Alternatively, if you have configured your access token to append the user’s roles and permissions as custom claims, you can retrieve them by decoding the access token.

Thanks @rueben.tiow !

I noticed that there is native functionality for RBAC where the scopes get automatically added to the token (which is what I’m currently using). I didn’t see similar functionality for putting the actual role into the token. Am I missing that somewhere?

1 Like

Hi @larrybarry,

That’s correct! There is a feature in your API settings where you can enable the Add Permissions in the Access Token feature.

On the other hand, for Roles, you will need to use a post-login action script to append the roles as a custom claim to the access token.

Please see this knowledge solution on how to do so.

Let me know if you have any questions.

Thanks,
Rueben

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.