Working with metadata to replace database personally identifiable information

I’m considering replacing all of the personally identifiable information on our database to use metadata on the auth0 object. This would provide a natural separation between our applications protected data and the sensitive user information. However, in the documentation, I noticed that Auth0 does “recommend against using these properties like a database”.

What’s the reason for this? Is the use case of storing all PII still acceptable?

1 Like

Hey there @dbsullivan231!

Thanks a lot for reporting that. Let me reach out to our docs team regarding that to find out why is that. Thank you!

1 Like

My 2 cents. I did not choose this path because:

  1. Calls to the API are throttled (and throttling rules can change anytime as per the docs: Rate Limit Policy) - so it is possible to hit a frustrating bottleneck at some point in the scale up.

  2. I find response times of the Auth0 servers are not particularly impressive

Those 2 points seem to show that Auth0 indeed does not provide a “database-like service” in the metadata.

  1. The use case I saw for that was to include those metadata in the ID Token, but then the ID Token itself can become quite big.

Thanks a lot for sharing that knowledge @Mic!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.