Auth0 Home Blog Docs

app_metadata being removed after update



I have created a ‘Pre User Registration’ hook that adds a property to app_metadata when a user signs up, I then add that value to the users access token through a rule when it signs in. The property exists in the dashboard when I’m viewing the user and I can read the value in the access token. After the user signs in they enter some more information and I update the app_metadata with some more properties, the problem is that the previous property is removed.

It works if I enter the property manually in the dashboard right after the user have signed up.


I’ve just had a very similar problem - setting the initial app_metadata in a database connection login script and then subsequent updates would remove it. Except, it turns out, they just mask it - setting app_metadata to {} later returned the original data!

This was fixed by setting the values we wanted in user_metadata, then copying them across in a rule (with a check to avoid doing it more than once) and updating it using the auth0 object into the Management API. Subsequent updates merged into the app_metadata rather than overwriting it.


My appologies for bumping an old post, but this is maybe useful to someone else running across this problem:

The app_metadata doesn’t always persist in a DB Action script due to some implementation details. Instead use the metadata property inside the custom db scripts as app_metadata (for db action scripts metadata will be written to the app_metadata right before rules are executed). Inside rules continue to use app_metadata as you normally would. I understand why the outcome was to use user_metadata but I caution against this because it is accessible by the user and they are free to change these properties at any time. By relying on user_metadata especially for storing data used to make authorization decisions this can lead to an insecure solution.

  1. DB Action Script: user.metadata = { /* all of your properties*/ {;
  2. In a rule check to see if app_metadata exists, if not you can re-populate it.

Step 2 is important because app_metadata doesn’t exist until a redirect happens after authenticating. Some users can abort the transaction before redirection occurs.