I’m considering replacing all of the personally identifiable information on our database to use metadata on the auth0 object. This would provide a natural separation between our applications protected data and the sensitive user information. However, in the documentation, I noticed that Auth0 does “recommend against using these properties like a database”.
What’s the reason for this? Is the use case of storing all PII still acceptable?
Calls to the API are throttled (and throttling rules can change anytime as per the docs: Rate Limit Policy) - so it is possible to hit a frustrating bottleneck at some point in the scale up.
I find response times of the Auth0 servers are not particularly impressive
Those 2 points seem to show that Auth0 indeed does not provide a “database-like service” in the metadata.
The use case I saw for that was to include those metadata in the ID Token, but then the ID Token itself can become quite big.