Add extra fields in universal login page and embed that infromation in token generated for APIs

I want to perform the following tasks on login.

  1. customize login page with extra fields.
  2. After login “extra field” values should be embedded in token generated for APIs.


Hey @a.faraz543,

Can we get more details?

This doesn’t sound safe: the extra fields are coming from the user (and so should not be trusted) and are put straight into the access token? I think there are security problems with that.

Can you give some more details? There’s probably a better way to do it.


Hi @john.gateley

Thanks, for replaying. I am actually using Auth0 for a hospital HR management software (under development). It will be working on multiple hospitals at a time. so the extra field I have mentioned in my post will be “GMC” (doctors unique identifier through the country) and other will be the list of hospitals in which the doctor is working, form that drop down user will select which hospital to login.

that’s why we need to embed that information in token so when verify the token we can actually make sure that user requesting the data is actually from that same hospital for which he/she have requested the data.


Hi Faraz,

This is somewhat complex - it is not just a field in the token, it is a more complex login flow.

The easiest answer is Auth0 professional services. I deal with questions like this often - it takes time to get to the unique factors in each case, and come up with the solution that works. It is not cookie-cutter.

Having said that, I would start by having the info in the user’s app_metadata, and getting tokens that pull the fields from the metadata instead of having them passed in (which I am even more sure is a security vulnerability, after reading your description). I’m not sure how to securely identify which hospital should be in the token. That’s one of the areas that could be unique.