Manage User Metadata and App Metadata


I have a issue with Auth0 user management.
Following is the user case.
I have three application is Auth0

  1. Management API
  2. Machine to Machine application
  3. Single page application.

I also have two database connection

  1. Database A
  2. Database B
    Note: Both the database connection in Auth0 are connected to a common database is AWS.

I am also making use of App_metadata and User_Metadata to build tokens.

I am observing the following behaviour.
When i login using Single page application [], I am adding some information in App_metadata and User_metadata. Single page application is connected to Database A

When i login using Machine to Machine application [I have my own login logic in the backend and i am using Auth0 to authenticate], some information is added to User and App metadata.

The problem i face is in User management.
Application 1: When i login using SPA a user is added in User Management → Users [with, Connection: Database A].
Application 2: When i login using M to M a user is added in User Management → Users [with, Connection: Database B].
But when i login using Application 2, Application 1 App and User metadata is also getting updated which in-turn causes issue when new access token is issued.
Application 1 is creating a new access token using App and User metadata which was recently updated.
Will it be possible to make sure Application 1 and Application 2 [App and User metadata] remains distinct and only updated respective one.

Hi @walter.adbe,

Thanks for reaching out to the Auth0 Community!

It appears that the way you have written your Post-Login Action script to append user_metadata and app_metadata properties to the access token, does not consider the condition where the user is authenticating against the SPA or M2M.

Consider using a conditional statement to check which app the user is authenticating against when appending custom claims. For example:

exports.onExecutePostLogin = async (event, api) => {
  const namespace = "http://yourNamespace/";
    if( === 'SPA'){
      api.accessToken.setCustomClaim(`${namespace}user_metadata`, event.user.user_metadata)
      api.accessToken.setCustomClaim(`${namespace}app_metadata`, event.user.app_metadata)
    } else if ( === 'M2M'){
      api.accessToken.setCustomClaim(`${namespace}user_metadata`, event.user.user_metadata)
      api.accessToken.setCustomClaim(`${namespace}app_metadata`, event.user.app_metadata)

Doing it this way will only append custom claims based on the application the user logs into.

Please let me know if you have any questions.


This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.