Getting a user's email from an access token

I’m taking my first steps learning Auth0 and have got a sample website ( Core Razor pages) set up to call an API by following Securing Razor Pages Applications with Auth0 and Authorization for ASP.NET Core Web APIs (

I can log in, get an access token, pass it to the secured API and the API runs. Great.

But how do I know who has called the API? The access token doesn’t tell me, i.e. I cannot see the user’s email address.

I’ve tried adding a custom action to add the user email to the access token with this code:

exports.onExecutePostLogin = async (event, api) => {
// This adds the authenticated user’s email address to the access token.
if (event.authorization) {
const namespace = ‘’;

But it hasn’t worked.

Also thought I could use “Get user info” to get the user details given the access token, before realising I don’t know how to get to the token in the Web Api.

Many forum posts advise about “rules” which are no longer available.

Please advise!



Hello @stuartp welcome to the community!

You can also rely on the sub claim included in the access and/or ID token. This is just the user’s ID in Auth0.

You have the right idea adding an email claim via an Action - You should be able to simplify it even further as email is not a restricted claim and can therefore be used directly:

exports.onExecutePostLogin = async (event, api) => {
  if (event.authorization) {

I’m not able to tell by what you’ve shared, but you do also need to include the email scope if you aren’t already - Please see the following:

Thanks :slight_smile:

I don’t have a “sub” claim in the returned token.

I’ve simplified the action but am not getting the email address.

I’ve updated my Program.cs to read:

     options.Domain = builder.Configuration["Auth0:Domain"];
     options.ClientId = builder.Configuration["Auth0:ClientId"];
     options.ClientSecret = builder.Configuration["Auth0:ClientSecret"];
     options.Scope = "openid profile email";
 }).WithAccessToken(options =>
     options.Audience = "https://localhost:7251";
type or paste code here

So this should request the email scope…?

What I have noticed on the test page is that if the user is not logged in, an access token is still returned. I don’t understand how that can be. Is it possible I am not requesting an access token for the logged in user? This is how I am requesting it:

Auth0Token authToken = new();
    authToken = await "".WithHeader("content-type", "application/x-www-form-urlencoded").PostUrlEncodedAsync(new
        grant_type = "client_credentials",
        client_id = "<clientID>",
        client_secret = "<clientSecret>",
        audience = "https://localhost:7251"
catch (FlurlHttpException flEx)
    string error = await flEx.GetResponseStringAsync();
1 Like

Thanks for the additional info!

You’re thinking is exactly correct - This code is using a client credentials flow and therefore the access token returned is considered M2M (i.e. no user involved, just the authorized client). Are you using an Auth0 SDK at all on the web application side of things? I am unfortunately not a .NET expert, but the gist of it is outlined here in ASP .NET Core SDK example.

I was so close :smiley:
Like two lines of code close.
It is working now - I have the email address of the caller in the API.
Thanks for all your help :slight_smile:

1 Like

Awesome! Good to know and thanks for following up here :slight_smile:

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.