Skip to main content
Refresh token metadata and session metadata together allow you to create and store data that persists throughout a user’s Auth0 session lifecycle. This article includes examples for the following use cases: To learn more, read A guide to Auth0 Session and Refresh Token Metadata.
Auth0 session metadata is not a secure data store and should not be used to store sensitive information. This includes secrets and high-risk PII like social security numbers or credit card numbers, etc. Auth0 customers are strongly encouraged to evaluate the data stored in metadata and only store that which is necessary for identity and access management purposes. To learn more, read Auth0 General Data Protection Regulation Compliance.

Create persistent custom claims

Refresh token metadata and session metadata together lets you create persistent custom claims to extend information contained within ID and access tokens. Using persistent custom claims, you can access application specific data, such as:
  • User roles
  • Permissions
  • Tenant IDs
  • And other attributes necessary for authorization and personalization across refresh token exchanges.
Configure a post-login Action trigger to create persistent custom claims and assign them to refresh token metadata using the api.refreshToken.setMetadata() object.
custom claim Action example
During a refresh token exchange, a subsequent post-login Action trigger can access these custom claims, using the event.refresh_token.metadata object and apply them to newly issued refresh tokens using the api.idToken.setCustomClaim() and api.accessToken.setCustomClaim() objects.
A single post-login Action can handle different grant_type scenarios using the event.request.body.grant_type object to manage claim persistence. The event.refresh_token object is read-only available during refresh token exchanges.

Create a unique session ID

Refresh token metadata and Session metadata together let you create a unique session ID to implement a persistent session identifier that is carried across the entire lifespan of a user’s session, including during refresh token rotations. Using unique session IDs, you can:
  • Accurately log a user’s session for debugging and auditing purposes.
  • Provide a mechanism for applications to track internal session state.
  • Enable APIs to provide granular logging, rate limiting, and contextual authorization decisions.
  • Apply consistent UX experiences that span multiple token lifecycles.
Configure a post-login Action trigger to create a unique session ID and assign it to the user’s session using the api.session.setMetadata() and api.refreshToken.setMetadata() objects. Add the unique session ID, as a custom claim to the ID and access tokens, using the api.idToken.setCustomClaim() and api.accessToken.setCustomClaim() objects.
unique session ID Action example
During a refresh token exchange, a subsequent post-login Action trigger can access these custom claims using the event.refresh_token.metadata object, and apply them to newly issued refresh tokens using the api.idToken.setCustomClaim() and api.accessToken.setCustomClaim() objects.

Create a tenant identifier

Refresh token metadata and session metadata together let you create a persistent tenant identifier to manage multi-tenant applications, where a single instance of an application serves multiple customer organizations, that is carried across the entire lifespan of a user’s session. Using a persistent tenant identifier, you can:
  • Add dynamic access control to easily enforce tenant-specific permissions in your applications and APIs
  • Create a tailored user experience to deliver content and features relevant to the user’s current tenant context
  • Simplify multi-tenancy logic by centralizing tenant identification and propagation within Auth0
  • Enhance security by preventing accidental cross-tenant data exposure by ensuring consistent tenant context in all tokens
  • Improve scalability by reducing the need for repeated database queries or complex logic to determine tenant context on every API call or token refresh
Configure a post-login Action trigger to identify the user’s active tenant either by querying the application for an ext-tenantId value provided during the authentication request, infer the tenant using geo-location, or by prompting the user to select their desired tenant. Once the tenant is identified, assign the tenant identifier value to the user’s session using the api.session.setMetadata() and api.refreshToken.setMetadata() objects, and add it as a custom claim to the ID and access tokens using the api.idToken.setCustomClaim() and api.accessToken.setCustomClaim() objects.
tenant identifier Action example
During a refresh token exchange, a subsequent post-login Action can access these custom claims, using the event.refresh_token.metadata object, and apply them to newly issued refresh tokens using the api.idToken.setCustomClaim() and api.accessToken.setCustomClaim() objects.

Manage transient data from upstream identity providers (IDPs)

Refresh token metadata and session metadata together let you manage transient and contextual data from upstream IDPs throughout a user’s session without storing it permanently in the user’s Auth0 profile. Using transient data, you can:
  • Maintain clean user profiles by preventing the storage of transient or session specific data
  • Enhance flexibility by supporting diverse data requirements from various IDPs without forcing schema changes or data bloat in persistent user profiles
  • Improve compliance by facilitating adherence to data privacy and retention policies by storing transient data only for its required lifetime
  • Reduce development overhead by simplifying the process of handling transient IDP data, as Auth0 Actions and metadata manage the data lifecycle
Configure a post-login Action trigger to identify user profile data contained in the event.request, event.user, and event.context objects. Determine which data is transient or contextual data and assign it to the user’s session, using the api.session.setMetadata() and api.refreshToken.setMetadata() objects, add the transient data as a custom claim to the ID and access tokens using the api.idToken.setCustomClaim() and api.accessToken.setCustomClaim() objects.
transient data Action example
During a refresh token exchange, a subsequent post-login Action trigger can access these custom claims, using the event.refresh_token.metadata object, and apply them to newly issued refresh tokens using the api.accessToken.setCustomClaim() object.

Enhance security and fraud detection

Refresh token metadata and session metadata together let you implement adaptive security by enabling the tracking and comparison of contextual information throughout a user’s session including refresh token rotations and silent authentication requests. By implementing adaptive security you can:
  • Create proactive threat detection by automatically identifying and responding to suspicious changes in user context data, reducing the risk of session hijacking and unauthorized access.
  • Reduce friction for legitimate users by only prompts for MFA or additional verification when a genuine anomaly is detected, improving the user experience compared to blanket MFA requirements.
Configure a post-login Action trigger to identify contextual user data that can include device fingerprint, geographic location, network attributes, and behavioral attributes. Store the contextual data for comparison in the user’s session, using the api.session.setMetadata() object.
security detection Action example
During a refresh token exchange or silent authentication, a subsequent post-login Action trigger can apply risk assessment and adaptive responses.

Access Metadata with the Management API

You can use the Auth0 Management API GET /api/v2/refresh-tokens/{id} and /api/v2/sessions/{id} endpoints to retrieve the stored data in either a refresh token or session’s metadata. The response includes the metadata field containing the stored data:

Learn more