Update App Meta Data from Post User Registration

I’d like to update App Meta Data after a user registers. I tired do so using the npm package Auth0. When I try this:

const ManagementClient = require('auth0').ManagementClient;

      var management = new ManagementClient({

          domain: event.secrets.domain,

          clientId: event.secrets.managementClientId,

          clientSecret: event.secrets.managementClientSecret,


      await management.updateAppMetadata({id: event.user.id }, { alternateId: id});

I get the error:

“message”: “{“error”:“access_denied”,“error_description”:“Unauthorized”}”,
“name”: “access_denied”

This same exact code works in my hook. The only difference is I need to require('auth0@2.23.0") in the hook (but I specify version 2.23.0 in my action modules, so it should be the same thing).

Any ideas?

Hi @techdynamism,

I just tested out your code in my own tenant, and it seems to make the update on the user, although the user ID is referenced with event.user.user_id instead of event.user.id. You can find the post-user registration event object here: Actions Triggers: post-user-registration - Event Object. It might be helpful to log the secrets to make sure they contain the correct credentials and don’t contain quotes, etc.

As a side note, since you are updating app metadata, you may want to consider using a pre-user registration or post login action instead of a post-registration action.

Post-user registration actions are best suited for tasks such as notifying another system about a signup. Due to the async nature of this trigger, you may encounter unexpected behavior or side effects if you use it to make persistent changes on a user (for example, assigning a role or updating app metadata).

For updating app metadata, it’d be much safer to use a pre-user registration or post login action.

Here is how you can update app metadata in a pre-user registration action:

exports.onExecutePreUserRegistration = async (event, api) => {
  api.user.setUserMetadata('alternateId', 123);  

And here is how you would update app metadata in a post-login action:

exports.onExecutePostLogin = async (event, api) => {
  if (event.stats.logins_count === 1) {
    api.user.setAppMetadata('alternateId', 123);

Thanks for the insight. When you ran your test…

  • Did you use client credentials (as my example shows)
  • What version of the auth0 package did you use (latest or 2.23.0)?
  • What permissions did you set (read:user, update:user, etc)?

My main reason for using post registration is that I wanted to be sure the user was actually stored in Auth0. I’m trying to set up a sync process where when a user is registered in auth0 they also get stored in our local database. If pre-register fails I don’t want to have orphaned users in our database. So with that being said do you still recommend using pre-register?

Yes, here is my hook:

exports.onExecutePostUserRegistration = async (event) => {
  const ManagementClient = require('auth0').ManagementClient;

  var management = new ManagementClient({
      domain: event.secrets.domain,
      clientId: event.secrets.clientId,
      clientSecret: event.secrets.clientSecret,

  await management.updateAppMetadata({id: event.user.user_id }, { alternateId: 123});


You should only need update:users_app_metadata for this, but my M2M app also has create:users_app_metadata, read:users_app_metadata, update:users, read:users, and read:roles.

If you want to be certain that the user has been created in Auth0 before syncing with your local database, I’d recommend using a post-login action. The action could check if it is the first login with event.stats.logins_count === 1.

The intent of post-user registration actions is more geared toward alerting other systems of the signup than altering data within Auth0. There is an uncommon, yet possible chance of a race condition where the user won’t be found in the post-user registration action when attempting to update the user’s metadata. More commonly, any alterations in the user’s data are not guaranteed to be present in other types of actions and this could lead to unexpected behavior later on.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.