Auth0 Home Blog Docs

Rule API changed without notice



Today we encountered an issue in our dev environment. After some digging it turned out that all the custom claims on our access_token were gone. So I started debugging the rule that provided these claims. Turns out that user.app_metadata was now undefined, though a new field user.metadata had the same content as user.app_metadata did previously.

Was this an intentional breaking change or is this a bug? Our production environment still works with the exact same rule contents.

Any insight into this issue would be very welcome

We are using auth0-js - v8.7.0 (

  • The auth requests affected use the following endpoint, with parameters something like this:
  • response_type=“id_token token”
  • response_mode=fragment
  • prompt=none
  • + scope, client_id, redirect_uri, state, nonce, audience
  • Database connection only
  • As far as I know, only I encountered it because no one else worked on this area before I made a fix to the rule. I can remove the fix and try with a few different users if necessary.
  • This happened every time from when I started to notice it. Since I adjusted the rule, I do not know if this still is an issue.

Update 2:
This just occurred now on our production environment:
Same behavior as dev environment. Seems to affect all users the same.


Hey man, I saw the same issue started to happen:


@csv Can you both please provide the following for me to investigate:

  • What API calls were made to authenticate?
  • What connection were the users part of (database connection, Facebook, Google, etc)
  • Does this happen for all user or only a select few?
  • Does this happen all the time or only occasionally?


@prashant I updated the question with the details I have. Let me know if you need further information for now.


Thanks for notifying us of this issue - the engineering team is already working on a fix. In the meantime, please use the following at the beginning of your Rule to accommodate for both user.app_metadata and user.metadata:

var app_metadata = user.app_metadata || user.metadata;

//use `app_metadata` in Rule


Hi @prashant, for my case the details are as follows:

  • API Call: renewAuth (a.k.a. silent authentication, made through auth0.js - 8.4.0)
  • Connections: the issue happened for at least both ‘google-oauth2’ and ‘facebook’
  • Happened for all users. Could still be reproduced after removing the user and signing up again with the same user’s social identity.
  • Usually after the 2nd or 3rd silent-auth call.


Thanks @csv and - we have reproduced this on our end, with our engineering team working on a fix. Please see my answer for the workaround in the meantime.


Yeah, that’s similar to what I changed the rule to use.
Glad to know that this was a bug and not an undocumented breaking change :slight_smile:


Hi @prashant, is there an estimated date when the fix will be rolled out?