Hello,
I received the email from Auth0 regarding the upcoming change with the private custom claims for Actions/Rules/Hooks.
- I checked on all my tenants with the provided log query and had no results on each.
- I checked all rules/hooks/actions on each tenant and they are all already using namespaced custom claims on tokens.
- Custom claims don’t appear to be larger than 100KB.
The only place where we’re not using namespaced claims is in user.app_metadata and user.user_metadata. Should we namespace the claims there as well or is it not needed?
Is there anything I’m missing?
Thank you for your help.
Hello @jonas.pauthier,
Thanks for reaching out to the Auth0 Community!
It depends on whether you want the user.app_metadata and user.user_metadata appended to your access token/ID token. If you do not intend to use the information after decoding the access token/ID token, then it will not be necessary to include them.
On the contrary, if you intend to use the user_metadata or app_metadata for some logic, I recommend appending the user_metadata and app_metadata as custom claims to your tokens.
In short, you will only need namespaced custom claims if you intend to append them to an access token or ID token.
I hope that helps clarifies your questions.
Please let me know if you have any additional questions. I’d be happy to help.
Thanks,
Rueben
Thank you @rueben.tiow for your answer.
I guess we only need the top level claim property to be namespaced. Something like this is fine, isn’t it?
// event.user.app_metadata is in the form
// { property1: "value1", property2: { property3: "value2" } }
api.accessToken.setCustomClaim("https://myDomain.com/metadata", event.user.app_metadata)
Hi @jonas.pauthier,
Thank you for your reply!
Yes, that should be fine 
! That should append the entire app_metadata object as a custom claim.
Please reach out again if you have any questions. I’d be happy to help!
Thanks,
Rueben
Alright, thank you @rueben.tiow.