At some point, your custom APIs will need to allow limited access to users, servers, or servers on behalf of users. Authorization refers to the process of verifying what a user has access to. While often used interchangeably with authentication, authorization represents a fundamentally different function. To learn more, read Authentication and Authorization.
In authorization, a user or application is granted access to an API after the API determines the extent of the permissions that it should assign. Usually, authorization occurs after identity is successfully validated through authentication so that the API has some idea of what sort of access it should grant.
Authorization can be determined through the use of policies and rules, which can be used with role-based access control (RBAC). Regardless of whether RBAC is used, requested access is transmitted to the API via scopes and granted access is returned in the issued Access Tokens.
Since only the API can know all of the possible actions that it can handle, it should have its own internal access control system in which it defines its own permissions. To determine a calling application's effective permissions, an API should combine incoming scopes with the permissions assigned within its own internal access control system and make access control decisions accordingly.
|Authorization Policies||What authorization policies are and how they work with Auth0.|
|Authorization Flows||What flows are available for authentication and authorization of applications and APIs.|
|Protocols||About the identity standards and protocols that Auth0 uses.|
|Role-based Access Control||What role-based access control is and how it works in Auth0.|