How to add user meta data and app meta data in access token?

  1. I am trying to get app metadata and user metadata using accesstoken by UserNameAndPassword authentication.
  2. But I am getting role information alone, While decoding my access token.
  3. Added below rule script

function (user, context, callback) {
  const namespace = '';
  const assignedRoles = (context.authorization || {}).roles;

  let idTokenClaims = context.idToken || {};
  let accessTokenClaims = context.accessToken || {};

  idTokenClaims[`${namespace}/role`] = assignedRoles;
  accessTokenClaims[`${namespace}/role`] = assignedRoles;

  context.idToken = idTokenClaims;
  context.accessToken = accessTokenClaims;
  if (context.idToken && user.user_metadata) {
     context.idToken[namespace + 'user_metadata'] = user.user_metadata;
   if (context.idToken && user.app_metadata) {
     context.idToken[namespace + 'app_metadata'] = user.app_metadata;

 return callback(null, user, context);
  1. Curl command
    curl --request POST
    –url ‘https://domain/oauth/token
    –header ‘content-type: application/x-www-form-urlencoded’
    –data grant_type=password
    –data password=pwd
    –data audience=https://domain/api/v2/
    –data ‘client_id=bdskjafdf’
    –data scope=openid profile email phone
    –data client_secret=nfnkdfndndfn

  2. decode sample response

{”: [
“iss”: “”,
“sub”: “auth0|00000000070688462”,
“aud”: [
“iat”: 164650,
“exp”: 1646050,
“azp”: “sbdkjbskjkn”,
“scope”: “openid profile email address phone read:current_user update:current_user_metadata delete:current_user_metadata create:current_user_metadata create:current_user_device_credentials delete:current_user_device_credentials update:current_user_identities”,
“gty”: “password”

  1. Need clarification What url need to be passed on rule const namespace = ‘’;

Hello @selvi welcome to the community!

You can read more about namespaced claims here, but the namespace is more or less simply to ensure that claims don’t collide with reserved claims nor claims from other resources.

It looks like you’re adding these claims to the ID Token here whereas you shared what seems to be an access token. Can you confirm whether or not they exist in the ID Token?

Let us know!


This topic was automatically closed after 9 days. New replies are no longer allowed.