I have a similar question to this (which was not answered AFAIK):
I have a SPA that connects to my API. After the user signs in using Auth0 on the SPA I now have an access token that I send along as an Authentication: Bearer header to my API. On the API end I define users by a unique ID, the unique ID is their email address. With every request to my API the SPA sends the access token and the email address of the user. I can trust that the profile information (including email) is okay on the SPA side of things (because the access token and profile information come from Auth0), but on the API end, I can’t assume that the email address sent is the one associated with the access token.
I can get the user profile information (including email) using the access token and the Auth0 API endpoint /userinfo. BUT, that is rate limited, so I can’t do that with every request to my API.
I see that we can get user information from refresh_tokens:
But getting a refresh token requires sending the code returned during the login process. I’ll need to store that in the database for each user and make a request to /userinfo again to get that information (running into the rate limiting problem again).
TLDR: how can I get the user info from an access token without using /userinfo. Perhaps adding the email attribute to the access token with a rule?
“For this profile, Auth0 would normally return the following ID Token claims to your application:”
But I don’t get the ‘email’ or ‘email_verified’ fields.
Sending the email with the request is a solution too. It is going to depend on how you want to handle it. Glad you are thinking about different solutions and thank you for sharing them with the community.