Auth0 supports attaching custom key-value data to a refresh token to personalize authentication or enforce security policies during the token lifecycle. Add and manage metadata for refresh tokens using Post-Login Actions or the Auth0 Management API.

• Auth0

• Refresh Token Metadata

• Actions

• Auth0 Management API

• Early Access (EA)

Auth0 allows up to 25 custom key-value pairs per token for Refresh Token Metadata, with a maximum of 255 characters per key or value.

How is metadata set using Post-Login Actions?

To set metadata within a Post-Login Action, use the api.refreshToken.setMetadata method to define the key and value.

api.refreshToken.setMetadata("deviceName", "Kevin's iPhone");
api.refreshToken.setMetadata("loginRegion", event.request.geoip?.countryCode);

How is metadata managed using the Auth0 Management API?

Metadata persists while the token remains valid. Retrieve or update the metadata using the following Auth0 Management API endpoints.

• GET /api/v2/refresh-tokens/{id}
• PATCH /api/v2/refresh-tokens/{id}

Related References

• Refresh Token Metadata Documentation
• Session Metadata Documentation