That is definitely an option, however it feels a bit rough to pollute the tokens with a claim that we only plan to use once.
Our current approach actually does nothing on the auth0 end. During the callback endpoint execution, we invoke the management API to get the user details. Included within these details is their logins_count. If that value is 1, we know that this user just signed up.
I wouldn’t suggest doing this. This solution is much more expensive than adding a custom claim to the token.
Custom claims, Actions, and tokens are built to be handle changes on every auth cycle. The management API, however, is not. You will quickly run into management API rate limits if you are making requests against it every time a user authenticates, and you will not be able to scale this type of flow.
Adding a custom claim to the token indicating it is a first login is not unusual.