decoding the id token

Is it possible/safe to access/edit claims from the id_token in your client, and if so, how?

Suppose I’m making a game and I want to keep track of the user’s score. I’d want to be able to increase/decrease the score on certain events, like a button click or collision detection. If I store this in app_metadata, can I access this in my client application, and can I update this such that it updates in Auth0’s database? Or should I make a separate resource server that has a copy of all my users’ non-auth related data and store/update it there?

In short, it claims in the id_token are meant (and encouraged) to be read in your client - this is one of the benefits of using JWT based authentication. As for editing, you wouldn’t edit the claim as such, but would instead need to update the user profile user_metadata or app_metadata]1, depending where you are storing the required attribute.

Updating the metadata will need to be done via the Management API Update User endpoint. This can either be done directly from your client, by requesting an access_token with the update:current_user_metadata scope. This would show a consent screen to the user, to allow your game to update their user profile. This may not be a desirable UX, which would lead to option 2:

Proxy the request through your own API: Your client will make a call to your own API endpoint, which will obtain a Management API token and make the update call to the Management API - your client will not interact with the Management API directly. This might be a better UX for your users.

To request the attribute in the id_token, you can pass that custom claim through a Rule.