Storing secret in user_metadata


I am wondering if it is OK / Not OK to store secret (e.g. 3rd party access token) in user_metadata.

Question 2: if yes, should I encrypt it in advance or is it encrypted at rest anyway. (I am not worried about an admin seeing it in the management dashboard.)

Use-case: we are asking our users after login to authorise access to other 3rd party resources (APIs) for which the corresponding Auth provider grants us access tokens. One of the key benefits for using Auth0 is that I don’t need to worry about storing passwords safely. But now I need to go back and do that for these access tokens, so I was hoping I can use Auth0 as my safe storage for user secrets.

Thanks for any advice

Welcome to community,

Yes, you can pass any information in user_metadata as the whole user info object will be encrypted already so no need to worry about encryption. You data will be safe and secure.

Hi @finplanner.adm

Info like this should be stored in the user’s app_metadata, not the user’s user_metadata.

But I’m not clear on the architecture. Any time you are storing an access token, you should devote a lot of thought to the security of the whole process. Why is Auth0 storing your access token instead of the application that is using it?


Hi John, thank you for the help.

Architecture is simple. Using Auth0 for my generic authentication / authorisation service and using a 3rd party API to get some of the users data. The access token is to access this 3rd party API.

I totally agree, whenever storing access tokens (or other critical secrets) I want to be very diligent. And that is why I would prefer if i can rely on a service like Auth0 that already stores such secrets for me. The alternative is that I build the storage for this and take care of storing it safely. Doable but probably a day or two of work and a bunch of headache for maintenance. Trying to save that time unless it means compromising security of the access token.

Thanks a lot for the help again.