Overview
This article explains why custom claims added via an Auth0 Action do not appear in access tokens issued for the Auth0 Management API. This issue occurs when an Action is configured to add custom claims, but upon inspection, the resulting access token requested for the Management API audience is missing these claims.
Steps to Reproduce
- Configure an Auth0 Action to add custom claims to an access token.
- Request an access token for the Auth0 Management API using the appropriate audience.
- Inspect the token — the custom claims added in the Action will be missing.
Applies To
- Auth0 Actions
- Custom Claims
- Auth0 Management API
Cause
This is expected behavior. To maintain platform integrity and security, Auth0 prohibits the addition of custom claims to access tokens intended for the Auth0 Management API. The Management API is a system-level interface that accesses sensitive platform resources, such as users, roles, and client configurations. Enforcing strict controls over its access tokens, including disallowing custom claims, protects these resources and ensures consistent behavior across all tenants.
Solution
While custom claims cannot be added to access tokens for the Auth0 Management API, they can be added to access tokens intended for custom APIs. When issuing tokens for a custom API defined within the tenant, Auth0 Actions can be used to add custom claims as required.