Firebase currently only allows you to add custom claims to ID tokens, and it suggests adding role based access control (RBAC) permissions in those ID token claims.

RBAC custom claims should be added to the access token which is already included in the Authorization header in all API requests, so the API already has access to the token that it needs. Additionally including an ID token in API requests so that the API can read permissions from it is overly complicated and superfluous.

Furthermore, you should be able to add these claims to access tokens for specific users via the Firebase web interface. Currently, you can only add custom claims to ID tokens by creating and running an app locally with the Firebase Admin SDK, which is a major pain in the neck.

Auth0 does all of this already and, as a direct result of that, it is much easier to use than Firebase Auth.