Adding user to default role, passwordless flow

Im looking for ways to add a user to a default role during the passwordless flow, so that we can use RBAC to restrict what can be called on an API. (also if it is possible to directly edit the scope inside an action - I can see examples for a rule, but not actions)

Similar to this question How to add roles, permissions to a user during signup? - #3 by dan.woda the issue is the same, we cannot add them to a role using the post-login action/hook, because the first time they request an access token, they wont be in the correct role so the token will not have the correct scopes.

In so far as I can tell from testing, despite what the documentation says re: action triggers Actions Triggers the pre-register/post-register do not trigger at all for a passwordless flow

Creating an action like the below, results in no user data at all being set on a user who goes through the passworldless flow

exports.onExecutePreUserRegistration = async (event, api) => {
  api.user.setAppMetadata('foobar', 'foobar')


Is there a way around this without having to make the user authenticate twice? Is there a recommended method for assigning passwordless users to a default role when their account is created?

This seems like it would be a common use case, but possibl I am thinking about the problem incorrectly.

Hi @mitchell.anderson,

I’m not sure why the app metadata is not added in the pre-user registration action when logging in with passwordless. Would you mind private messaging me the tenant name so that I can take a look at the settings? Thank you!

You can assign roles to users with a Post Login Action similar to the rule. You will first need to register a M2M application and authorize it to use the Managment API’s update:roles and create:role_members scopes:

You can then create an Action similar to this:

exports.onExecutePostLogin = async (event, api) => {
  if (event.stats.logins_count !== 1) {

  const ManagementClient = require('auth0').ManagementClient;

  var management = new ManagementClient({
      domain: event.secrets.domain,
      clientId: event.secrets.clientId,
      clientSecret: event.secrets.clientSecret,

  const params =  { id : event.user.user_id};
  const data = { "roles" : ["rol_abc123"]};

  management.users.assignRoles(params, data, function (err, user) {
    if (err) {
      // Handle error.

You can also include the roles in tokens with:

  const namespace = 'https://your-app-url/'
  api.accessToken.setCustomClaim(`${namespace}roles`, 'role-name');
  api.idToken.setCustomClaim(`${namespace}roles`, 'role-name');
1 Like

Hi Stephanie,

I will send you a DM. I’m aware you can set roles with an action as per the linked forum posts, unfortunately this is not a solution for first time users, as the role is set post login and that means the first time they request a token, they will not have the appropriate permissions.

Thank you, @mitchell.anderson! I understand what you mean. Even though the user has the role when they log in, their permissions are not included in the Access Token until they log in a second time. Adding the role as a custom claim is preferred here. I’ll research this and let you know what I find.

Hi @mitchell.anderson,

Wanted to send a quick update about using api.user.setAppMetadata. There is a known limitation that the Passwordless OTP flow will not trigger the api.user.setAppMetadata function in pre-user registration actions. There is an item to resolve this, however, I don’t have a specific date on when the fix will be released. The documentation will be updated to clarify this limitation soon.

1 Like