This same exact code works in my hook. The only difference is I need to require('auth0@2.23.0") in the hook (but I specify version 2.23.0 in my action modules, so it should be the same thing).
I just tested out your code in my own tenant, and it seems to make the update on the user, although the user ID is referenced with event.user.user_id instead of event.user.id. You can find the post-user registration event object here: Actions Triggers: post-user-registration - Event Object. It might be helpful to log the secrets to make sure they contain the correct credentials and don’t contain quotes, etc.
As a side note, since you are updating app metadata, you may want to consider using a pre-user registration or post login action instead of a post-registration action.
Post-user registration actions are best suited for tasks such as notifying another system about a signup. Due to the async nature of this trigger, you may encounter unexpected behavior or side effects if you use it to make persistent changes on a user (for example, assigning a role or updating app metadata).
For updating app metadata, it’d be much safer to use a pre-user registration or post login action.
Here is how you can update app metadata in a pre-user registration action:
Did you use client credentials (as my example shows)
What version of the auth0 package did you use (latest or 2.23.0)?
What permissions did you set (read:user, update:user, etc)?
My main reason for using post registration is that I wanted to be sure the user was actually stored in Auth0. I’m trying to set up a sync process where when a user is registered in auth0 they also get stored in our local database. If pre-register fails I don’t want to have orphaned users in our database. So with that being said do you still recommend using pre-register?
You should only need update:users_app_metadata for this, but my M2M app also has create:users_app_metadata, read:users_app_metadata, update:users, read:users, and read:roles.
If you want to be certain that the user has been created in Auth0 before syncing with your local database, I’d recommend using a post-login action. The action could check if it is the first login with event.stats.logins_count === 1.
The intent of post-user registration actions is more geared toward alerting other systems of the signup than altering data within Auth0. There is an uncommon, yet possible chance of a race condition where the user won’t be found in the post-user registration action when attempting to update the user’s metadata. More commonly, any alterations in the user’s data are not guaranteed to be present in other types of actions and this could lead to unexpected behavior later on.