You can remove the permissions directly assigned to a user using the or the . The assigned permissions are used with the API Authorization Core feature set. To learn more, read Role-Based Access Control.

Prerequisites

For role-based access control (RBAC) to work properly, you must enable it for your API using either the Dashboard or the Management API. The Authorization Core functionality is different from the Authorization Extension. For a comparison, read Authorization Core vs. Authorization Extension.

Use the Dashboard

  1. Go to Dashboard > User Management > Users and click the name of the user.
  2. Click the Permissions view, then click the trash can icon next to the permission you want to remove, and confirm.
    Auth0 Dashboard User Detail list of permissions assigned to this user

Use the Management API

Make a DELETE call to the Delete User Permissions endpoint. Be sure to replace USER_ID, MGMT_API_ACCESS_TOKEN, API_ID, and PERMISSION_NAME placeholder values with your user ID, Management API , API ID(s), and permission name(s), respectively. 
curl --request DELETE \
  --url 'https://{yourDomain}/api/v2/users/USER_ID/permissions' \
  --header 'authorization: Bearer MGMT_API_ACCESS_TOKEN' \
  --header 'cache-control: no-cache' \
  --header 'content-type: application/json' \
  --data '{ "permissions": [ { "resource_server_identifier": "API_ID", "permission_name": "PERMISSION_NAME" }, { "resource_server_identifier": "API_ID", "permission_name": "PERMISSION_NAME" } ] }'
ValueDescription
USER_IDΤhe ID of the user to be updated.
MGMT_API_ACCESS_TOKENAccess Token for the Management API with the scope update:users.
API_IDID(s) of the API(s) associated with the permission(s) you would like to remove for the specified user.
PERMISSION_NAMEName(s) of the permission(s) you would like to remove for the specified user.

Learn more