Metadata and ID Token query


I would like to know what would be the best place to store user data - member#. In a security context of our application, we consider member# one of PII fields. Now, depending on the member#, application controls the access of different modules. So, should it be stored in user_metadata or app_metadata? FYI, member# should only be added at the time of registration or can be updated by support team only. It cannot be updated by a member.

Another question is how if we store member# in ID token as a claim, can that considered to be a security risk? I am not sure if man-in-the-middle can retrieve ID token or not. But if they can then I will have to use management API to retrieve the user metadata.

Any suggestions are highly appreciated.

Hi @parthp,

Thanks for reaching out to the Auth0 Community!

There is no functional difference between storing the user data in the app_metadata or user_metadata properties, only a semantic difference.

The difference between app_metadata and user_metadata is that the first should be used for information about the user that is controlled by the application (e.g. the user identifier for a legacy system, or the roles a user has), whereas user_metadata is information that the user can view and control (e.g. user settings, preferences). [Reference: Differences between client_metadata and app_metadata]

This should be fine and is not a security risk as long as the member# is considered non-confidential information. If it is considered condifidential information, then it is not recommended to store this information in the token as a custom claim.

I hope that helps!

Please reach out again if you have any further questions.


This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.