This article provides information regarding the scenario where adding specific custom claims to the Access Token can result in the degradation of the Token.

• Actions
• setCustomClaim
• Access Token

Standard OIDC Claims, such as phone_number, email, name, and picture, are standard and expected in an ID Token; however, in an Access Token, these are not expected as custom claims. By manually forcing a standard claim name, such as email, into the root of the Access Token using setCustomClaim, it will likely cause a collision with Auth0's internal JWT serialization engine. The engine tries to process standard claims (including calculating the Audience array) and encounters the manual override.

Evaluate all post-login actions for a line as the one below, which will add custom claims to the Access Token.

exports.onExecutePostLogin = async (event, api) => {
  api.accessToken.setCustomClaim('myClaim', 'this is a private, non namespaced claim');
};

Ensure that the "myClaim" is not populated by any of the Standard OIDC claims.

Custom namespaces like https://....com/email for example, are treated as "opaque strings" by Auth0. They are safely inserted into the JSON payload without triggering the internal OIDC validation logic that handles standard fields.