How large can custom claims be for IdToken?


A quick question,

What is the maximum size limit for adding a custom claim to an idToken? I’m debating whether I should use roles and permissions via the custom claims and IdToken. Or just use the management API via an express app. I know I’ll be limited via the rate limit for the management API and I don’t expect to hit that rate limit consistently.

Just curious about the possibilities that I have, any suggestions are welcome.


Hey there!

Not sure, but let me check that for you!

In our official docs there is no information about the limit:

but I also found this one:

which might be helpful.

Hi @konrad.sopala,

Thanks for the answer. As noted by one of the stackoverflow answers people have mentioned 8k for HTTP headers size limit, which makes sense. Ok I’ll start off with the putting the roles and permission in the idToken via a rule. If it goes wild then I’ll consider using a backend server to make calls to get roles and permissions for a user.

Sure! Makes sense! Let us know if you have any other questions down the road!