Rules Anatomy Best Practices

A rule is essentially an anonymous JavaScript function that is passed three parameters: a user object, a context object, and a callback function.

    function (user, context, callback) {
     // TODO: implement your rule
     return callback(null, user, context);

Do not add a trailing semicolon at the end of the function declaration as this will break rule execution. Anonymous functions make it hard to interpret the call-stack generated as a result of any exceptional error condition. For convenience, use compact and unique naming conventions to assist with diagnostic analysis (e.g., function MyRule1 (user, context, callback) {...}). To learn more, read Error Handling Best Practices.

Rules execute in the pipeline associated with the generation of artifacts for authenticity that forms part of the overall Auth0 engine. When a pipeline is executed, all enabled rules are packaged together in the order in which they are listed and sent as one code blob to be executed as an Auth0 serverless Webtask. To see the entire Auth0 engine, download Inside the Auth0 Engine.

Rule Anatomy Best Practices Rules Pipeline Diagram


We recommend that the total size of implementation for all enabled rules should not exceed 100 kB. The larger the size, the more latency is introduced due to the packaging and transport process employed by the Auth0 serverless Webtask platform, and this will have an impact on the performance of your system. Note that the 100 kB limit does not include any npm modules that may be referenced as part of any require statements.


The order in which rules are displayed in the Auth0 Dashboard dictates the order in which the rules will be executed. This is important because one rule may make one or more definitions within the environment associated with execution that another rule may depend upon. In this case, the rule making the definition(s) should execute before the rule that makes use of it. To learn more, read Rules Environment Best Practices.

Run expensive rules that call APIs (including the Auth0 Management API) as late as possible. If you have other, less expensive rules that could cause an unauthorized access determination, then you should run these first.

Learn more