I’m adding the organization name to my access token in a rule: context.accessToken[namespace + 'org_name'] = context.organization.name.
This works, but I’m curious about the security aspect. Can this custom field be tampered with on the user side? Or is it encrypted in the same way as the default fields that are normally on the access token?
The access token is signed, and the signature includes all claims including custom claims. Tampering with a custom claim will invalidate the signature.
As long as you properly verify the access token, you are good.