When roles are not enough client-side, best practices to get permissions?

Hi, in a SPA context, having access to the user’s permissions is helpful to tweak the UI (e.g. disabling/hiding an “edit” button), but permissions are only in the access token that is opaque to the (React) client. What are the best pratices ? Our “work around” was to add a “user permissions” endpoint to our API.