Hi @larrybarry,
That’s correct! There is a feature in your API settings where you can enable the Add Permissions in the Access Token feature.
On the other hand, for Roles, you will need to use a post-login action script to append the roles as a custom claim to the access token.
Please see this knowledge solution on how to do so.
Let me know if you have any questions.
Thanks,
Rueben