What plans support custom claims for the access token (JWT)? Action post login looks good, but JWT does not contain the custom claims (free and Essentials plan). Is there a restrictions on custom claims based on a plan?
Hi @dublindatta,
Welcome to the Auth0 Community!
The ability to add custom claims to tokens is not restricted by your Auth0 plan. This feature is available on all plans, including the Free tier. The reason your claims are not appearing in the access token is almost certainly due to the requirement that all custom claims must be namespaced.
Auth0 follows the OpenID Connect (OIDC) specification, which defines a set of standard claims (e.g., sub , aud , iss ). To prevent potential collisions between your custom data and these reserved claims, Auth0 requires that any custom claim you add must be a URI. This is what we refer to as a “namespaced claim.”
If you try to add a claim without this special formatting in a Post Login Action, Auth0’s pipeline will silently ignore it, and it will not be added to the final token.
To fix this, you need to prefix your custom claim name with a unique URI that you control. This doesn’t have to be a real, publicly accessible URL; it just serves as a unique identifier for your application’s claims.
Here is an example of a corrected Post Login Action:
/**
* Handler that will be called during the execution of a PostLogin flow.
*
* @param {Event} event - Details about the user and the context in which they are logging in.
* @param {PostLoginAPI} api - Interface whose methods can be used to change the behavior of the login flow.
*/
exports.onExecutePostLogin = async (event, api) => {
// Define a namespace for your custom claims.
// This should be a URI you control.
const namespace = 'https://dublindatta.example.com/';
// Set the custom claim on the access token using the namespace.
// For example, let's add the user's roles from their app_metadata.
const userRoles = event.user.app_metadata.roles || [];
api.accessToken.setCustomClaim(`${namespace}roles`, userRoles);
};
After updating your Action with a namespaced claim like the one above, please Deploy the change and try logging in again. When you decode your new access token (for example, using a site like jwt.io), you should see your claim present.
Decoded JWT Payload Example:
{
"https://dublindatta.example.com/roles": [
"editor",
"contributor"
],
"iss": "https://your-tenant.auth0.com/",
"sub": "auth0|xxxxxxxxxxxxxxxxxxxxxxxx",
"aud": [
"https://your-api-identifier.com/",
"https://your-tenant.auth0.com/userinfo"
],
// ... other standard claims
}
You can read more abou this by following this link towards our documentation:
If you have any other questions, feel free to reach out!
Have a good one,
Vlad
1 Like