> ## Documentation Index
> Fetch the complete documentation index at: https://docs-dev-actions-triggers-prototype.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

> Learn how to use Auth0's Authorization Extension to deny users access to an API using rules.

# Deny User Access to an API with Rules

<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
  For use with Auth0’s Authorization Extension only. If you are using the Authorization Core feature set, you should use the [built-in token dialects](/docs/get-started/apis/enable-role-based-access-control-for-apis#token-dialect-options) instead. To learn more, read [Authorization Core vs. Authorization Extension](/docs/manage-users/access-control/authorization-core-vs-authorization-extension).
</Callout>

Go to [Dashboard > Auth0 Pipeline > Rules](https://manage.auth0.com/#/rules). You can set up [Rules](/docs/customize/rules) for a number of different purposes, from user management to enriching user profiles. If you need to deny a user access to your API, you can create Roles with assigned scopes, then create a rule to remove scopes from the <Tooltip tip="Access Token: Authorization credential, in the form of an opaque string or JWT, used to access an API." cta="View Glossary" href="/docs/glossary?term=Access+Token">Access Token</Tooltip>:

```javascript lines theme={null}
{
function (user, context, callback) {
  var permissions = user.permissions || [];
  var requestedScopes = context.request.body.scope || context.request.query.scope;
  var filteredScopes = requestedScopes.split(' ').filter( function(x) {
      return x.indexOf(':') < 0;
  });

  var allScopes = filteredScopes.concat(permissions);
  context.accessToken.scope = allScopes.join(' ');

  callback(null, user, context);
}
```