Hi @levyshachar2,
Thanks for joining us in the Auth0 Community!
First of all, take a look at our rate limit policy. Just to get an idea of what the limits are. Our users typically don’t run into issues with the limits unless something is not working as intended.
Next, I have some questions/suggestions about your flow:
- Are you receiving the ID token from Auth0? If so, the
subclaim contains the user_id and you should not need to useListUsersByEmail. - You can replace the
GetUserRolescall by adding the user’s roles to the token in a rule as a custom claim. Keep in mind this may not reflect the current state of roles if they are updated after the token has been issued, and you should refresh the token after you update roles to solve this issue. (refresh tokens and short expirations can alleviate this). - You could also store a copy of user and roles in a local DB, as many Auth0 customers do, as user data not specific to the authentication process is often too big or irrelevant and should be stored elsewhere anyways. This will require you to keep two data stores up to date concurrently, food for thought.
Let me know if you have further questions, or if I missed something.
Thanks,
Dan