Non-namespaced custom claims in app_metadata or user_metadata


I received the email from Auth0 regarding the upcoming change with the private custom claims for Actions/Rules/Hooks.

  1. I checked on all my tenants with the provided log query and had no results on each.
  2. I checked all rules/hooks/actions on each tenant and they are all already using namespaced custom claims on tokens.
  3. Custom claims don’t appear to be larger than 100KB.

The only place where we’re not using namespaced claims is in user.app_metadata and user.user_metadata. Should we namespace the claims there as well or is it not needed?

Is there anything I’m missing?

Thank you for your help.

Hello @jonas.pauthier,

Thanks for reaching out to the Auth0 Community!

It depends on whether you want the user.app_metadata and user.user_metadata appended to your access token/ID token. If you do not intend to use the information after decoding the access token/ID token, then it will not be necessary to include them.

On the contrary, if you intend to use the user_metadata or app_metadata for some logic, I recommend appending the user_metadata and app_metadata as custom claims to your tokens.

In short, you will only need namespaced custom claims if you intend to append them to an access token or ID token.

I hope that helps clarifies your questions.

Please let me know if you have any additional questions. I’d be happy to help.


Thank you @rueben.tiow for your answer.

I guess we only need the top level claim property to be namespaced. Something like this is fine, isn’t it?

// event.user.app_metadata is in the form
// { property1: "value1", property2: { property3: "value2" } }

api.accessToken.setCustomClaim("", event.user.app_metadata)
1 Like

Hi @jonas.pauthier,

Thank you for your reply!

Yes, that should be fine :clap:! That should append the entire app_metadata object as a custom claim.

Please reach out again if you have any questions. I’d be happy to help!


1 Like

Alright, thank you @rueben.tiow.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.