Metadata and ID Token query

Hi @parthp,

Thanks for reaching out to the Auth0 Community!

There is no functional difference between storing the user data in the app_metadata or user_metadata properties, only a semantic difference.

The difference between app_metadata and user_metadata is that the first should be used for information about the user that is controlled by the application (e.g. the user identifier for a legacy system, or the roles a user has), whereas user_metadata is information that the user can view and control (e.g. user settings, preferences). [Reference: Differences between client_metadata and app_metadata]

This should be fine and is not a security risk as long as the member# is considered non-confidential information. If it is considered condifidential information, then it is not recommended to store this information in the token as a custom claim.

I hope that helps!

Please reach out again if you have any further questions.

Thanks,
Rueben