Manage User Metadata with the post-login Action Trigger
Auth0 provides a rich system for storing metadata on the Auth0 user profile. You can configure a post-login
trigger to modify user_metadata
and app_metadata
as part of a user’s login flow. Post-login triggers are useful for tasks such as storing application-specific data on the user profile, capturing user operation logs, mapping SAML attributes to the metadata field, or caching expensive operation values on the User profile for re-used in future logins.
The post-login
api
object provides common operations that can be performed in this trigger. To manage user metadata, we want to use the api.user.setAppMetadata
and api.user.setUserMetadata
methods. For example, to guard against some behavior running more than once for a specific user, consider an Action that looks like this:
exports.onExecutePostLogin = async (event, api) => {
if (event.user.app_metadata.didAnExpensiveTask) {
console.log(`Skipping the expensive task because it already occurred for ${event.user.email}.`);
return;
}
// do and expensive task
api.user.setAppMetadata("didAnExpensiveTask", true);
};
Was this helpful?
Here, we added a check at the start of the Action to see if we have already performed the expensive task for this user. If the metadata field exists, then we return from the function.
At the end of the Action, we call api.user.setAppMetadata
to signal that we would like to store some metadata on the user object. At the end of each trigger’s execution, Actions will update the user profile as a single operation. If several calls are made to setUserMetadata
actions, even if they are made in different actions as part of the same flow, Actions will only update the user profile a single time--at the end of the trigger’s execution.
Best practices
Beware of storing too much data in the Auth0 profile. This data is intended to be used for authentication and authorization purposes, and users can edit their own user_metadata
field, so don't store sensitive data in it. The metadata and search capabilities of Auth0 are not designed for marketing research or anything else that requires heavy search or update frequency. Your system is likely to run into scalability and performance issues if you use Auth0 for this purpose. A better approach is to store data in an external system and store a pointer (the user ID) in Auth0 so that backend systems can fetch the data if needed.
Rate limits
Even though a single call is made to update the user profile, that operation is still subject to your tenant’s "Write User" rate limits. If the Rate Limit is hit when attempting to update metadata, Actions will retry the request as long as a 429
HTTP status code is returned. The delay between retries is governed by the value of the X-RateLimit-Reset
header returned as part of the 429
response.
Redirects
In the event of a Redirect invoked with api.redirect.sendUserTo()
, any pending user or app metadata updates will be applied to the user profile before the user is redirected to the external site. To learn more, see Redirecting With Actions.