Call our API from a rule

Our SPA uses Auth0 to authenticate users and retrieve a token to access our backend nodejs API server. We use auth0 rules to perform some pre-login checks and populate permissions.

We would like to call our API from the auth0 rules as part of the login process. This enables the rules to populate some permissions and hold them in app_metadata, so the API doesn’t have to check the database every time the user logs in.

Is there a recommended access pattern to create an access token to call APIs from auth0 rules (assuming these API’s already accept user tokens from auth0)? Ideally auth0 would be able to generate a signed token that we can attach to requests to the API.

In another community question, they were using jwt.sign to create tokens within a rule. However, they were messing about with specific library versions and had some reliability issues, so I wasn’t sure how supported their approach was. Does this look like the correct thing to do?:

var jwt = require(‘jsonwebtoken@7.1.9’);
var request = require(‘request@2.56.0’);

var userInfoToken = jwt.sign(
iat: Math.floor( / 1000) - 2
expiresIn: 4,
audience: context.request.query.audience,
issuer: ‘https://’ + context.request.hostname + ‘/’

1 Like

@mike25 were you able to establish a pattern you like to call your api from auth0 for app_metadata info?

Hey there!

Sorry for such huge delay in response! We’re doing our best in providing you with best developer support experience out there, but sometimes our bandwidth is not enough comparing to the number of incoming questions.

Wanted to reach out to know if you still require further assistance?

Here is an FAQ that answers this.