Adding my app specific info to the jwt

If I needed to update a JWT with my service/application specific information is there a standard/best practices way to do this?

The JWT never leaves the server, it’s in a cache on the server.

Example: User is authenticated but a user might have access to multiple companies that belong to the organization they are a part of. I want to store the companies as part of the JWT and make sure the user can’t just pass in any companyId to query the db.

Check would basically be the client sends a companyId and I compare the companyId to what I have added to the cache on the server.

1 Like

Hi @mgaye,

Welcome to the Auth0 Community!

Yes, this is possible by adding custom claims to an Access Token using an Auth0 Post-Login Action script.

Please see our Adding custom claims to tokens FAQ for more instructions, and let me know if you have any questions with implementation.

Thanks,
Rueben

1 Like

Hi @rueben.tiow ,

Thank you for sharing that. It doesn’t quite address my use case. I need to look up the companies the user has access to from my db. Then update the jwt with the ids of those companies, and then update the cache with the new jwt.

With this suggestion it seems like I would need to look up the companys in my db, make a call to the actions endpoint(?) and provide the company data, have auth0 put that in the claim and return a response to me, then I need to take that new jwt and put it in my cache. Does that sound right?

Also is it possible to set claims in my application code using this api.accessToken.setCustomClaim(‘custom_claim’, claim_value) or does this only work in the actions section of auth0?