Authorization Extension

The Authorization Extension provides support for user authorization via Groups, Roles, and Permissions. You can define the expected behavior during the login process, and your configuration settings will be captured in a rule that's executed during runtime. To learn more, read Auth0 Rules.

With the Authorization Extension, you can store authorization data like groups, roles, or permissions in the outgoing token issued by Auth0. Your application can then consume this information by inspecting the token and take appropriate actions based on the user's current authorization context.

With the Authorization Extension, roles and permissions are set on a per-application basis. If you need the same roles or permissions on another application, you'll have to create them separately. Conversely, the Authorization Core feature set provides much more flexibility with roles and permissions.


Before you can use the extension, you'll need to:

  1. Install the extension.

  2. Configure how the extension will behave during the login transaction.

  3. Set up users, groups, roles, and permissions.

Manage data

You can easily move data into or out of the extension using a JSON file. To learn more, read Import and Export Authorization Extension Data.

Add functionality

Once the extension is up and running, you can add additional functionality to it.


Review our tips for troubleshooting page for commonly-encountered issues.

Upgrade from previous versions

Upgrade from version 2.6 or later

Upgrades from version 2.6 or later do not have breaking changes and require no special action.

Upgrade from versions before 2.6

Authorization Extension 2.6 contains breaking changes that result from changed logic for storing and handling the API Key; these require you to perform additional steps upon upgrade, as detailed below. Failing to complete these steps will result in either an InvalidApiKey or You are not allowed to access this application error on rule execution. For more information, see the GitHub changelog.

  1. Go to Auth0 Dashboard > Extensions, and select the Installed Extensions view.

  2. Locate Auth0 Authorization, select Upgrade, and confirm. Wait for the upgrade to complete.

Rotate the extension's API key

  1. Select Auth0 Authorization to open the extension.

  2. From the dropdown menu in the top-right of the extension dashboard, select Configuration.

  3. Locate the API Key section, and select Rotate.

Republish the extension's rule

Select Publish Rule.

Delete the old extension rule if it exists

  1. Go to Auth0 Dashboard > Auth Pipeline > Rules.

  2. Locate the auth0-authz rule. If it does not exist, you are done; otherwise, continue with the following steps.

  3. Locate the auth0-authorization-extension rule and drag it into the position below the auth0-authz rule.

  4. Check that the auth0-authz rule:

    • Was authored by the Authorization Extension and has not been modified manually

    • Will not change the authorization flow in a way that will grant access or privileges to undesired users if it is removed

  5. If the above conditions are true, use the toggle to disable the auth0-authz rule. After verifying that everything works appropriately, you can decide whether to leave the rule disabled or remove it entirely.

Learn more