Deny User Access to an API with Rules

For use with Auth0’s Authorization Extension only. If you are using the Authorization Core feature set, you should use the built-in token dialects instead. To learn more, read Authorization Core vs. Authorization Extension.

Go to Dashboard > Auth0 Pipeline > Rules. You can set up Rules for a number of different purposes, from user management to enriching user profiles. If you need to deny a user access to your API, you can create Roles with assigned scopes, then create a rule to remove scopes from the Access Token:

{
function (user, context, callback) {
  var permissions = user.permissions || [];
  var requestedScopes = context.request.body.scope || context.request.query.scope;
  var filteredScopes = requestedScopes.split(' ').filter( function(x) {
      return x.indexOf(':') < 0;
  });

  var allScopes = filteredScopes.concat(permissions);
  context.accessToken.scope = allScopes.join(' ');

  callback(null, user, context);
}