Comment by jcmartinezdev

There are multiple ways, you can use known authorization methods like RBAC, or if you want something more fancy ReBac (tools like openfga, https://openfga.dev).

But there's only so much that you can do with that, if you need to call third party APIs on the user's behalf I'd recommend going with a solution revolving around custom token exchange (https://datatracker.ietf.org/doc/html/rfc8693).

You can check something like Auth0 offers: https://auth0.com/ai

Which would cover things like token exchange for third party APIs, human in the loop, and also authorization methods.