It says in docs that an authenticated user can edit user_metadata but not app_metadata. OK.
But where/how does a user edit his/her user_metadata?
Using our universal login with the lock widget…?
By accessing Auth0 API (for a tech savvy user)?
Some general Auth0 web interface somewhere?
Or is it unavailable until we, ourselves, explicitly provide a user interface for this purpose?
We have some attributes that we probably want the user to be able to update, e.g. phone number, but we would at least want to have some audit support and perhaps even a notification when the user makes such changes. This is no problem if we have full control over the user interface ourselves, but if there are other “way in” for an authenticated user, we may have a problem. Hence the question.
A user can perform certain actions on their metadata if you provide a means for them to do. For example, if you have a form which accepts a street address and saves it to user_metadata, then the user is performing an action to save this data via a POST request to Authentication API Explorer
Because this is only a POST request however, there is no way for a user to further modify this data, unless you build something which allows it. This would mean a regular web application which uses the backend to update the user’s data in the management API, based on something like them having the required scopes.