Can I store some data from my backend into Auth0 access and idToken?

I have really complex permission system in my project, so I decided to handle this part of logic on my side (without Auth0 scopes usage), but the crucial point for me is getting confidence that I will be able to store the User Permissions object from my server-side in the Auth0 user-metadata and be able to put it into Auth0 tokens for subsequent permissions’ validations without redundant Database queries.
Am I on the right way?

Hi @zhygliy

You can do this, there are two ways:

  1. When you change a permission in your database, at the same time, update the user object in Auth0 with the same permission (in the app_metadata for the user)
  2. Don’t store the permissions in the Auth0 user object, instead, use a rule that contacts an API you write that returns the permissions for a user, then put them in the access token.

The first has the drawback that it is a sync, and subject to the standard sync problem.
The second has the drawback that it is an API call in the auth flow, and another point of failure and potential delay.

John