Authorization Core vs. Authorization Extension

Auth0 currently provides two ways of implementing role-based access control (RBAC): our Core implementation and our Authorization Extension, which will be deprecated. Our Core implementation improves performance and scalability.

We recommend using Authorization Core for most implementations. If you are looking to represent teams, business customers, or partners in a B2B or SaaS application, we recommend representing them as Organizations and using Authorization Core. The Authorization Extension does not have support for Organizations.

To help you decide which feature is right for your implementation, we present the differences between the two:

Feature Authorization Core Authorization Extension
Enhanced performance and scalability Yes - Read Authorization Core RBAC Limits No - Limited to 500KB of data (1000 groups, 3000 users, where each user is a member of 3 groups; or 20 groups, 7000 users, where each user is a member of 3 groups)
Create/edit/delete Roles Yes Yes
Roles can contain permissions from one or more APIs Yes No
Users and Roles can be assigned to Groups No Yes
Roles are attached to specific applications No Yes
Create/edit/delete Users Yes Yes
Search Users by user, email, connection Yes Yes
Search Users by identity provider, login count, last login, phone number Yes No
Search Users using Lucene syntax Yes No
User import/export via JSON Not currently Yes
Create custom authorization policies Yes No

Learn more