Enable Role-Based Access Control for APIs

This guide will show you how to enable role-based access control (RBAC) using Auth0's Dashboard. This task can also be performed using the Management API. This effectively enables the API Authorization Core feature set.

  1. Navigate to the APIs page in the Auth0 Dashboard, and click the name of the API to view.

View APIs

  1. Scroll to RBAC Settings and enable the Enable RBAC toggle.

View APIs

  1. If you want to include all permissions assigned to the user in the permissions claim of the Access Token, enable the Add Permissions in the Access Token toggle, and click Save.

Including permissions in the Access Token allows you to make minimal calls to retrieve permissions, but increases token size. As long as RBAC is enabled, the scope claim of the Access Token includes an intersection of the requested permissions and the permissions assigned to the user, regardless of whether permissions are also included in the Access Token.

When RBAC is disabled, default behavior is observed; an application can request any permission defined for the API, and the scope claim will include all requested permissions.

Remember that any configured rules run after the RBAC-based authorization decisions are made, so they may override default behavior.