Auth0 Home Blog Docs

How to read app_metadata from SPA SDK?

I wrote a rule which works.

The rule adds an app_metadata node to the user object. When I log in to the Auth0 management UI, navigate to Users and click Raw JSON, I see the data.

I am using the SPA SDK, latest version. My code logs in correctly. Calls getUser. I can see the other object in the debugger. I don’t see the app_metadata object.

I read this post

Is it not possible to simply read the entire user object from the SPA SDK?

Is the only way to see user_metadata or app_metadata to copy it in a ruile by storing it through context.idToken["somestring’]?

If so, what is the point of the app_metadata and user_metadata properties?

Are they only for the Management API and not the SPA SDK?



Hi @mindmodel,

I’m not sure whether you can map the entire user object or not, but as you have seen you can copy the entire app_metadata and user_metadata objects in. I believe it is considered best practice to copy just the attributes you need into your ID and / or access tokens, keeping the size of the token down, and limiting the amount of data in the token.

You can also query user profile data from the /userinfo endpoint.

Typically what I do is copy commonly used attributes into the ID token, and leave it up to individual apps to query /userinfo for anything else they need.


Thank you for your reply.

You mention the /userinfo endpoint.

I’m writing an HTML/JS app. No server-side, so no place to hide secrets.

I’m using the SPA SDK.

Unless I misunderstand, the /userinfo endpoint is in the Authentication API. I’m trying to wrap up my work and get it done with the SPA SDK. I’m already logged in, trying to get the app_metadata. Would using the Authentication API mean a whole separate login process and a separate REST call via a new XHR object?

Going a bit on memory here, but I believe you just need the access token from the authentication to query the userinfo endpoint. This should work whether you are using the implicit grant flow (not recommended) or auth code + PKCE (recommended). I think the easiest thing to do is to include the data in your ID token and / or access token on login.

OK, got it working. Thanks!

For anyone watching at home, once you’ve got the object allocated, the code in the Rule to store it looks like this

context.idToken[‘’] = user.app_metadata.userAccount;

When my SDK API code reads the user object, as usual, no extra work required, the user object contains a property whose name is the same as the key used to access the idToken object in the line above.

var foo = user[‘’]

reads the object in the client code.

The Rule editor complains that I should use dot notation rather than a string key, but I wasn’t able to get that to work.

1 Like