Hey everyone!
I’m using Auth0 Post Login Actions to set a custom claim (mfaVerified = true/false) in the access token based on whether a user was challenged with MFA during login. I want this status/custom claim to persist in new access tokens issued during refresh token exchanges (since it’s the same session). However, during refresh flows, event.authentication.methods is empty, so I can’t re-evaluate MFA status directly.
Is there a recommended way to persist session-specific data like MFA status across refresh token exchanges in Auth0 Actions, or a better approach to handle this use case without incorrectly carrying over the status to new sessions after logout?
Any insights or best practices would be appreciated!