Can I store some data from my backend into Auth0 access and idToken?

I have really complex permission system in my project, so I decided to handle this part of logic on my side (without Auth0 scopes usage), but the crucial point for me is getting confidence that I will be able to store the User Permissions object from my server-side in the Auth0 user-metadata and be able to put it into Auth0 tokens for subsequent permissions’ validations without redundant Database queries.
Am I on the right way?

Hi @zhygliy

You can do this, there are two ways:

  1. When you change a permission in your database, at the same time, update the user object in Auth0 with the same permission (in the app_metadata for the user)
  2. Don’t store the permissions in the Auth0 user object, instead, use a rule that contacts an API you write that returns the permissions for a user, then put them in the access token.

The first has the drawback that it is a sync, and subject to the standard sync problem.
The second has the drawback that it is an API call in the auth flow, and another point of failure and potential delay.