Thanks for sharing, I tried this and it works well with my passwordless flow too. But I found the security hole to be too big and we cannot use it. The meta data we are going to update is our own internal id which will be add in the JWT Token and will be used to identify user on our backend. Now can you please suggest me the best approach which is secure as well.