Let's say we want to use JWT's with the user's roles and/or permissions stored inside the JWT's to reduce the number of calls to Ory. (we're aware there are pros and cons to this) For machine-to-machine auth, it looks like using a client credentials grant with an OAuth webhook to add the custom claims will get us what we want. For human users, there's this: https://www.ory.sh/docs/identities/session-to-jwt-cors But that's less flexible than a webhook... it maps the user's session into the JWT, and the permission info isn't available in the session. Would the approach be to somehow add the permission info to the session? Or is there some other way to get them a JWT with custom claims? Such as generating the JWT ourselves?

I've been considering a similar approach. The way that I've been looking at to do this is 1. When I import users into Ory I create them with a metadata_public entry of

my_roles

2. I set up a JWT tokenizer where I create a few custom claims in my claims mapper

claims: {
        iss: claims.iss,
        schema_id: session.identity.schema_id,
        email: session.identity.traits.email,
        roles: session.identity.metadata_public.my_roles,
}

So we'd have to update

my_roles

every time we update a user's Ory Permissions... that feels likely to get out of sync or become stale? I'm thinking now that it might be better to cache user permissions at another layer. Maybe nginx in front of the Ory Permission API