Skip to main content
To configure refresh token metadata, you can use an Auth0 Post-Login Action and the Management API.

Auth0 Post-Login Actions

You can manage refresh token metadata CRUD operations using the api.refreshToken objects with a post-login Action. This allows you to manage refresh token metadata based on user or context-specific logic.

Retrieve existing refresh token metadata

Use the event.refresh_token.metadata object to read the refresh token metadata:
The event.refresh_token.metadata object includes metadata set in:
  • Previous Actions within the same flow
  • Prior transactions if the refresh token was reused during a refresh token exchange

Add or update existing metadata

Use the api.refreshToken.setMetadata() method to set or update the refresh token metadata:
Changes are immediately available in the event.refresh_token object in subsequent Actions.

Delete refresh token metadata

Use the following api.refreshToken methods to delete refresh token metadata:
  • api.refreshToken.deleteMetadata("key") deletes the specified refresh token metadata
  • api.refreshToken.evictMetadata() deletes all refresh token metadata
To learn more about these objects, review:
  • Event object: Learn about the refresh token Event object and properties.
  • API object: Learn about the refresh token API object and methods.

Auth0 Management API

You can manage refresh token metadata CRUD (create, replace, update, delete) requests using the Management API:
Calls to the /api/v2/refresh-tokens/{id} endpoint require a Management API access token with the update:refresh_tokens scope.

Retrieve existing refresh token metadata

Make a GET request to the /api/v2/refresh-tokens/{id} endpoint:

Add or update existing refresh token metadata

Make a PATCH request to the /api/v2/refresh-tokens/{id} endpoint:

Delete refresh token metadata

Make a PATCH request to the /api/v2/refresh-tokens/{id} endpoint with an empty metadata object:

Use case: Store and consume organization context

You can use refresh token metadata to store organization context during the initial authentication and consume it later during refresh token exchanges. This is useful for downstream systems such as audit, analytics, and revocation pipelines.

Set metadata at initial authentication

During the initial login, set the organization context in the refresh token metadata:

Consume metadata during refresh token exchange

During a refresh token exchange, the event.refresh_token object exists and you can read the previously stored metadata:

Retrieve via Management API

You can also query the refresh token metadata via the /api/v2/refresh-tokens/ endpoint:
Sample response:

Use case: Track and validate device information

You can use refresh token metadata to capture device information at the initial authentication and validate it during subsequent refresh token exchanges for security purposes.

Set device information at initial authentication

Validate device information during refresh token exchange

Error handling

You can review refresh token metadata log events by navigating to Dashboard > Monitoring > Logs or retrieve logs using the Management API logs endpoint.
  • If an error occurs while adding or updating refresh token metadata with Actions, the authentication transaction fails and an error is returned to the callback URL.
A failure f event code is logged with its corresponding error:
  • If a failure occurs when managing refresh token metadata using the Auth0 Management API, the API responds with an HTTP status: 400 error and its corresponding message:

Learn more