Hey everyone! I’m using Auth0 Post Login Actions to set a custom claim (mfaVerified = true/false) in the access token based on whether a user was challenged with MFA during login. I want this status/custom claim to persist in new access tokens issued during refresh token exchanges (since it’s the s…

Hi @daniel.bozinovski I am sorry about the delayed response to your inquiry! You should be able to bypass MFA on token refresh by adding this line of code inside a PostLogin Trigger: if (event.transaction.protocol === "oauth2-refresh-token") { //code to persist custom claim comes here ret…

How to Persist MFA Verification Status in Access Token During Refresh Token Exchange in Auth0 Actions?

Get Help

daniel.bozinovski July 17, 2025, 2:33am 4

Hey @nik.baleca , thanks for the reply again!

That make sense. How do you advise persisting the custom claim? Should it be saved to app/user metadata and then extracted during exchanges?

Thanks!

Topic		Replies	Views
Will Access Tokens Received Via Refresh Token Contain the Custom Claims Knowledge Articles refresh-token , custom-claims	1	365	April 2, 2024
Persistent custom claims in Access Token when using Refresh Tokens Get Help extensibility , actions-extensibility	3	1402	December 22, 2023
What is the correct way to require MFA for ONLY auth0 connections? Get Help mfa , mfa-api	3	2686	January 11, 2023
"mfa_required" error instead of using refresh token with Actions Knowledge Articles mfa , extensibility , actions	1	4177	June 14, 2022
If amr claim is only available in the ID Token how can I validate the Access Token to check for MFA? Get Help mfa , mfa-api	2	49	May 23, 2025

How to Persist MFA Verification Status in Access Token During Refresh Token Exchange in Auth0 Actions?

Related topics