Interesting one. Done with the OAuth 2.0 M2M lab with Auth0. I executed the Client Credentials flow and decoded the access token. Here is an extra step, in case you experience the same problem: please you need to turn on RBAC on the API and give the app the permission before read:invoices show in the token. If you do not, the permissions list comes back empty. Please check the screenshot for more clarity.