OIDC-Conformant Adoption: Access Tokens
Because applications and APIs (resources) are defined as separate Auth0 entities with the OIDC-conformant pipeline, you can get access tokens for your APIs. Consequently, all APIs should be secured with access tokens instead of ID tokens. To learn more, read Access Tokens and ID Tokens.
The OIDC-conformant pipeline standardizes claims that you can add to ID and access tokens.
With the OIDC-conformant pipeline, custom claims may still be added to ID tokens or access tokens, but they must conform to a namespaced format to avoid possible collisions with standard OIDC claims.
To learn how to add a custom claim in the OIDC-conformant pipeline, read Create Namespaced Custom Claims.
In the OIDC-conformant pipeline, you can configure your applications in Auth0 to use scopes to request that:
Standard OIDC claims, such as
Permissions supported by the API they want to access be included in the access token. For example, you can define your custom API's audience and required scopes, which will allow you to segregate access to different operations within your API.
To learn more, read OpenID Connect Scopes.