As @rashid779939 said, with the Authentication API you can only set the user_metadata.
If you need to set app_metadata, that would need to be done via Management API (which is never called on behalf of an end user but of an administrator). Note though that you could also consider setting the app_metadata in a post-user-registration hook.
It depends on the use case and business logic which field makes most sense to you.
See the difference here:
User metadata : stores user attributes such as preferences that do not impact a user’s core functionality. Logged in users can edit their data stored in
user_metadataif you build a form for them using the Management APIPATCHendpoint with the scopeupdate:current_user_metadata.App metadata : stores information (such as, support plan subscriptions, security roles, or access control groups) that can impact a user’s core functionality, such as how an application functions or what the user can access. Data stored in
app_metadatacannot be edited by users. See App metadata restrictions for what cannot be stored in this field.