Roles custom claim is empty after roles are set on user creation (via auto-import)

Problem statement

We have Auth0 Actions set up on the Login flow to do the following:

  1. Update a user’s roles from our CRM

  2. Add a custom claim to the user’s ID and access tokens.

When a user already exists in Auth0 logs in, both actions will perform correctly. If the users’ roles differ from their roles in our CRM, they are correctly added/removed, and the custom claims reflect the new set of roles. However, the first time a user logs in, the roles are added from the CRM, but when we were setting the custom claim from the user’s Auth0 roles, the custom claim was empty. As a workaround, we directly set the custom claim from an API call to our CRM - but it would be a cleaner solution if the custom claim could be set correctly on the first login.

Steps to reproduce

  1. Make a change to the user’s profile with a Management API client within an Action.
  2. Attempt to use the event object later in the Action flow and fetch the new values.
  3. The event object is not updated by Management Client changes, so it will require another login attempt to get the updated profile in the event object.


It appears any changes made to the current user via calling the Management API from an Action do not update the event object for future actions in the flow.


Changes made to the user’s profile by using a Management Client, such as in this example:

It updates the user’s profile but not the event object. Unfortunately, there isn’t a way to update the event object yet. Changes to the profile won’t be picked up until the next login.

The exception is using the built-in Action API object to set metadata, which will update the event object for that metadata: