Authorization Policies

Behind the scenes, role-based authorization uses a pre-configured authorization policy, which contains conditions that allow code to evaluate whether a user should be permitted to access a protected API.

The authorization policy determines:

  • how to define and organize the users or roles that are affected by the policy

  • what logic and conditions apply to the policy and whether their outcome permits or denies access

When using Auth0's core authorization and role-based access control (RBAC), the policy includes evaluating the roles and permissions assigned to users. To use these features, you must enable role-based access control for APIs.

You can further customize the authorization policy by using rules. To learn more, read Rules for Authorization Policies.