Using App Metadata to customize access token per client for M2M applications

I have an API that needs to authorize access based on company_id. One way to do it is to maintain a mapping of the company ID and all the client IDs (M2M apps) it generates. I am wondering whether it’d be better/secure to just embed the company ID in the access token instead. Here is the workflow I plan to implement -

  1. when a company creates the M2M app (via our portal), we put the company_id in the app metadata;
  2. we then use Action to put App Metadata in the Access token as a custom claim;
  3. Our API upon receiving the access token, decodes jwt and extract company_id and use it for authorization.

Will this work? Is that any security issue with this approach?


Hi @gavin3466,

Thanks for reaching out to the Auth0 Community!

Yes! Your proposed approach will work and will be a secure way to handle authorization.

Here is a helpful FAQ resource I recommend reading: Adding custom claims to tokens

Please let me know if you have any additional questions.



This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.