App_metadata not merged but replaced

The ‘Update a User’ ( /api/v2/users/{id} - Auth0 Management API) PATCH call has a different way of dealing with the metadata fields. These properties (user_metadata and app_metadata) “are merged instead of being replaced but be careful, the merge only occurs on the first level”.

So once the app_metadata.userId is inserted it can only be changed but not removed, one may think.

But when testing the API with { “app_metadata”: {} } the value is not merged but it is deleted resulting in no app_metadata field.

Hi @mihai.iordache,

Welcome to the Auth0 Community!

To clarify, if a user had the following app_metadata:

  "app_metadata": {
    "foo": "bar"

And you sent a request with a body of:

  "app_metadata": {}

You would expect this as the result:

  "app_metadata": {
    "foo": "bar"

Can you confirm this is what you are expecting? Also, in what scenario would you send an empty object like that? Why not omit it entirely?

Yes @dan.woda !
The scenario that you describe it is exactly my understanding of the auth0 documentation in this case.
But the code is doing something else. It is replacing not merging.

I’m asking about the empty object because we have a scenario that we are unable to understand. Some users are missing app_metadata. We checked every where in our app and we are always sending app_metadata with data in it. We also checked if we edit it somewhere without realising with an empty object. We do not.

So the bigger issue now is that we send the app_metadata every time but in some cases it is not saved. Could this been and auth0 issue ?

It seems like an empty object is used to clear the user’s app metadata. I can understand how that could be confusing if you are expecting a merge.

I’m not seeing any recent support cases, topics, or outages reporting anything related to this. It is unlikely that your tenant would be the only one affected by a bug in the management API.

Thank you very much for your help @dan.woda!
This is very important for this project.

I have some further questions if you can help me with, please.

Is there a log where I can see in greater details if the user had app_metadata on create, and if maybe there is another call that I am not aware of that is ‘deleting’ that part ?

I would like to know at what point the app_metadata went missing.
Is it at create ? Is it an update later ?

And I would like to know who is making those changes ?

There is a log of the request. If you go to your logs you should see the request and who/what app made it. For example:

  "date": "2021-08-11T19:05:55.349Z",
  "type": "sapi",
  "description": "Update a User",
  "client_id": "xxxxx",
  "client_name": "xxxxx",
  "details": {
    "request": {
      "method": "patch",
      "path": "/api/v2/users/xxxxx",
      "query": {},
      "body": {
        "app_metadata": {
          "foo": "bar"
      "channel": "",
      "auth": {
        "user": {
          "user_id": "xxxxx",
          "name": "xxxxx",
          "email": "xxxxx"

You can also search the logs, which should help you narrow down the requests that are clearing the app metadata.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.