When you log into Auth0, you get an access token returned to your application (assuming you passed an audience for the API in the authorizationParams to the /authorize call). Before you are sent back to your application and while Auth0 is in control, you can append custom scopes/claims to your access token. Or on your API in Auth0, you can enable RBAC and add permissions to your access token automatically. Your application now has an access token that is encoded in session storage of your browser as a cookie or keychain/android secure storage for native applications. When you make a request to your backend API, you can pass that access token as a bearer token (in the case of SPAs and Native apps) to your endpoint. In the case of Regular Web Applications the cookie is passed automatically with the request. In your API, you can use Auth0 SDKs to validate the access token is issued by Auth0, not expired, and contains the appropriate permissions to access the endpoint. You determine which permissions are required to allow or deny access here and usually with the help of Auth0 SDKs but you can also decode the token with a package like jwt-decoder and conduct your own logic on what is required to make the call.