Add custom claim to access token not working

I have a react SPA and a flask backend that I’m trying to use with auth0 together. I can authenticate just fine, but I’m having big troubles with authorization… Because of a concurrently-running legacy application using the same databases, I can’t change anything in the db to encompass authorization (like I suspect I’m supposed to to, to use RBAC or something). If I were to just send the access token and use that to get the userinfo, I’d have to do that on every single request from every single user, which doesn’t seem right.

So, what I think should work is either: append a custom claim to my access_token with the user’s email, or send the id_token as well to my backend on every request, and be able to extract the user’s email from there.

I have tried both rules and hooks (and am still not super clear about the difference between them, and what would or wouldn’t run when my application requests tokens?) but neither have seemed to actually affect the access token I’m getting back, though both work in the “try it out” feature of the panel where you set them up… And the client exchange hook doesn’t have an obvious way to access the user object anyway, that I can tell.

The contents of my rule are:
function (user, context, callback) {
const namespace = ‘’;
context.accessToken[namespace + ‘email’] =;
callback(null, user, context);

I also thought about just sending the id_token as well, but even if I add my client-id to the audience, I can’t decode it with jose.jwt, because
No access_token provided to compare against at_hash claim

Is my best option here REALLY to just send the email address in a separate header field and give up on it being part of any kind of token the backend can consume?

Hi Katie,

Welcome to the Auth0 community!

Namespaces need to start with either http:// or https:// as described in our documentation here:

The contents of your Rule look good to me.

Could you try modifying your namespace and seeing if it solves the issue?

1 Like

it worked!!! Thanks so much. While I have you here though, could you clarify the difference between rules and hooks, and when I should be using each? I looked into some other forum questions and it sounded like rules SHOULDN’T run when the client authenticates, but it seems to in this case. Also, why does the client-exchange hook not have access to the user object? Am I just not understanding the point at which that happens?
thanks again!

As naming convention shows per-registration and post registration, hooks only execute once when new user gets register with Auth0 system
Rules execute every time user login to the system.

So which is best to use depends upon the specific requirement.