User Profile App Metadata and User Metadata


Do you need to be logged in as the user to access the user_profile app metadata and user metadata? I’m needing to store a field that needs to be protected. I know that the app_metadata field is “read_only” so that is definitely a plus. I’m more concerned with is there any security risk for storing data in the app_metadata section? Is there any way someone else can access the data without permissions to? OR is the only way to see this information is by logging it as that specific user?

Thank you

App_metadata can only be read by the user it belongs to, or through calls made to the Management API GET User endpoint. You can also encrypt data in app_metadata through a Rule as an extra layer of protection.

Note, app_metadata can be passed back to your applications as a claim in the id_token - this makes it possible that the id_token could be stored in localStorage, hence the possibility of the token (and the app_metadata) being read. I suggest reading the following document on our User Data Storage Guidelines.