This article provides the standard procedure for including a user's assigned permissions directly into the permissions array of an access token. This is accomplished by enabling a specific Role-Based Access Control (RBAC) setting within a custom API's configuration.

• Role-Based Access Control (RBAC)
• Access Tokens
• Custom APIs
• Permissions

By default, an access token issued by Auth0 for a custom API does not contain a permissions claim, even if a user has been assigned permissions through their roles. To make these permissions available for consumption by an API, the claim must be explicitly enabled in the API's configuration.

To add the permissions array to the access token, enable the RBAC setting for the associated API. This is the preferred method and does not require the use of custom Rules.

1. Navigate to the Auth0 Dashboard.

2. In the left sidebar, go to Applications > APIs.

3. Select the custom API for which the permissions need to be configured.

4. Select the Settings tab and scroll to RBAC Settings .

5. Enable the Add Permissions in the Access Token toggle.

Once this setting is enabled, any new access tokens issued for this API will contain a permissions claim with an array of all permissions assigned to the user. This populates the standard permissions claim, so client applications do not need to be modified to look for a custom namespaced claim.