Add custom claims to a self-generated JWT

Context: I’m using hasura which allows me to authenticate basically in 2 ways (well, 4, but only 2 apply): JWT or admin key. Since I don’t want to expose the admin key in any other service, I want to use JWT. My first idea was to use the generated JWT inside the rule, but since there’s no JWT generated yet (since we can add claims), that’s not an option.
This means that I need to generate a JWT with custom claims. I know I can generate JWTs with the APIs, but they do not contain the necessary (custom) claims, like:

  "": {
    "x-hasura-default-role": "user",
    "x-hasura-allowed-roles": [
    "x-hasura-user-id": "something-whatever"
  "iss": "...",
  "sub": "something-whatver",
  "aud": [
  "iat": 1594579306,
  "exp": 1924991999,
  "azp": "...",
  "scope": "openid profile email"

Or: how can I generate a JWT with custom claims? (Auth0 doesn’t expose the private signing key, so I can’t generate it using that key. I hope there is a way to generate JWTs with custom claims.)

Thanks, Kurt

fyio: this is not about adding custom claims to JWTs that are send back to a user who logs in. There are rules to do that, that’s not the problem. I want to enrich the profile of the user logging in by doing a call to another service, which needs an JWT for auth. It is about generating a JWT that can be used as ‘api key’ for another service.

Hey @kurt.sys, do you want to generate a JWT within a rule and call an API from there itself? In that case, you may have to generate that with your own client ID/secret pair or your own public/private key pair.

There’s an example here: (only the JWT creation part of that example is applicable here)

If the API is called after the user logs in, then you can use the Auth0-generated access token.

If I understand well, in the case of the JWT generated within a rule, I can’t sign it with the auth0 private key? That would mean that my external service needs to accept JWTs signed by 2 different keys, which is not possible. On me external service, I set the public key of auth0 to verify any call. On that service, or a authenticated user makes requests (which works fine), or an auth0 rule makes a request. Both requests need to send a JWT signed by the same key.
Is it possible to generate a JWT within a rule, using the private key of auth0?

That’s right. The tenant’s private key is accessible to the tenant only, and it’s not possible to sign other tokens with it. One workaround might be to call the API after authentication (though it might not work for your use case).

Yeah, but that won’t work: I want to enrich the JWT payload. After login is obviously too late :). Too bad, not sure how to solve this properly right now.