> ## Documentation Index > Fetch the complete documentation index at: https://docs-dev-docs-event-stream-action-templates.mintlify.site/llms.txt > Use this file to discover all available pages before exploring further. > Learn how to use the Authorization Extension to control user authorization behavior during runtime. # Authorization Extension The [Authorization Core](/docs/manage-users/access-control/rbac) feature set and [Authorization Extension](/docs/customize/extensions/authorization-extension) are completely separate features. To manage groups, roles, or permissions, you need to use the feature they were originally created in. The Authorization Extension provides support for user authorization via Groups, Roles, and Permissions. You can define the expected behavior during the login process, and your configuration settings will be captured in a rule that's executed during runtime. To learn more, read [Auth0 Rules](/docs/customize/rules). With the Authorization Extension, you can store authorization data like groups, roles, or permissions in the outgoing token issued by Auth0. Your application can then consume this information by inspecting the token and take appropriate actions based on the user's current authorization context. With the Authorization Extension, roles and permissions are set on a per-application basis. If you need the same roles or permissions on another application, you'll have to create them separately. Conversely, the [Authorization Core](/docs/manage-users/access-control/rbac) feature set provides much more flexibility with roles and permissions. ## Prerequisites Before you can use the extension, you'll need to: 1. [Install](/docs/customize/extensions/authorization-extension/install-authorization-extension) the extension. 2. [Configure](/docs/customize/extensions/authorization-extension/configure-authorization-extension) how the extension will behave during the login transaction. 3. [Set up](/docs/customize/extensions/authorization-extension/set-up-authorization-extension-users) users, groups, roles, and permissions. ## Manage data You can easily move data into or out of the extension using a JSON file. To learn more, read [Import and Export Authorization Extension Data](/docs/customize/extensions/authorization-extension/import-and-export-authorization-extension-data). ## Add functionality Once the extension is up and running, you can add additional functionality to it. * [Enable API access to the extension](/docs/customize/extensions/authorization-extension/enable-api-access-to-authorization-extension): Learn how you can automate provisioning and query the authorization context of your users in real-time, using the extension's API. * [Explore Authorization Extension API endpoints](https://auth0.com/docs/api/authorization-extension): Learn about the Authorization Extension's API endpoints and how you can use them. * [Use Authorization Extension data in rules](/docs/customize/extensions/authorization-extension/use-rules-with-the-authorization-extension): Learn how you can use rules to configure extra logic for your logins. ## Upgrade from previous versions ### Upgrade from version 2.6 or later Upgrades from version 2.6 or later do not have breaking changes and require no special action. ### Upgrade from versions before 2.6 Authorization Extension 2.6 contains breaking changes that result from changed logic for storing and handling the API Key; these require you to perform additional steps upon upgrade, as detailed below. Failing to complete these steps will result in either an `InvalidApiKey` or `You are not allowed to access this application` error on rule execution. For more information, see the [GitHub changelog](https://github.com/auth0/auth0-authorization-extension/blob/master/CHANGELOG.md). 1. Go to [Auth0 Dashboard > Extensions](https://manage.auth0.com/#/extensions), and select the **Installed Extensions** view. 2. Locate **Auth0 Authorization**, select **Upgrade**, and confirm. Wait for the upgrade to complete. #### Rotate the extension's API key 1. Select **Auth0 Authorization** to open the extension. 2. From the dropdown menu in the top-right of the extension dashboard, select **Configuration**. 3. Locate the **API Key** section, and select **Rotate**. #### Republish the extension's rule Select **Publish Rule**. #### Delete the old extension rule if it exists 1. Go to [Auth0 Dashboard > Auth Pipeline > Rules](https://manage.auth0.com/#/rules). 2. Locate the `auth0-authz` rule. If it does not exist, you are done; otherwise, continue with the following steps. 3. Locate the `auth0-authorization-extension` rule and drag it into the position below the `auth0-authz` rule. 4. Check that the `auth0-authz` rule: * Was authored by the Authorization Extension and has not been modified manually * Will not change the authorization flow in a way that will grant access or privileges to undesired users if it is removed 5. If the above conditions are true, use the toggle to disable the `auth0-authz` rule. After verifying that everything works appropriately, you can decide whether to leave the rule disabled or remove it entirely. ## Learn more * [Install Authorization Extension](/docs/customize/extensions/authorization-extension/install-authorization-extension) * [Configure Authorization Extension](/docs/customize/extensions/authorization-extension/configure-authorization-extension) * [Enable API Access to Authorization Extension](/docs/customize/extensions/authorization-extension/enable-api-access-to-authorization-extension) * [Import and Export Authorization Extension Data](/docs/customize/extensions/authorization-extension/import-and-export-authorization-extension-data) * [Use Rules with the Authorization Extension](/docs/customize/extensions/authorization-extension/use-rules-with-the-authorization-extension)