Custom Signup

You can customize the user signup form with more fields in addition to email and password when using Lock or the Auth0 API.

There are many factors to consider before you choose Lock vs. Custom UI. For example, using Lock, you can redirect to another page to capture data or use progressive profiling. When using the Auth0 API, you can capture custom fields and store them in a database. There are certain limitations to the customization that should be considered when choosing the method that best suits your purpose. Some typical customizations include adding a username and verifying password strength.

Universal Login

Auth0 offers a Universal Login option that you can use instead of designing your own custom signup page. If you want to offer signup and login options, and you only need to customize the application name, logo and background color, then Universal Login via an Auth0 login page might be an easier option to implement.

Using Lock

Lock supports custom fields signup.

custom signup fields

Lock's additionalSignUpFields option will only work with database signups. For signups using social identity providers, collecting these fields in the same manner is not possible with Lock, but there are two other options to allow social IDP signups with Lock while still collecting additional custom fields.

Redirect to another page

One way to use social provider signups with Lock and collect custom fields is to use redirect rules to redirect the user to another page where you ask for extra information, and then redirect back to finish the authentication transaction.

Progressive profiling

Another way to collect custom field data when signing users up with social providers is via progressive profiling whereby you can slowly build up user profile data over time. You collect the bare minimum details upon signup, but when a user later interacts with your app, you collect a small amount of data (perhaps one question) each time until their profile is complete. This allows you to collect the desired information but with less friction, since the goal of using a social IDP for signup is making it more effortless and streamlined for the user.

For additional information, see this Auth0 blog post about progressive profiling.

Using the API

Create a signup form to capture custom fields

<form id="signup">
    <legend>Sign up</legend>
      <input type="email" id="signup-email" placeholder="Email" required/>
      <input type="password" id="signup-password" placeholder="Password"
      <input type="text" id="name" placeholder="Full name" required/>
      <input type="text" id="color" placeholder="Favorite color"/>
    <input type="submit" value="Sign up"/>

The name is a user profile attribute and color is a custom field.

There is currently no way to validate user-supplied custom fields when signing up. Validation must be done from an Auth0 Rule at login, or with custom, server-side logic in your application.

Send the form data

Send a POST request to the /dbconnections/signup endpoint in Auth0.

You will need to send:

  • Your application's client_id
  • The email and password of the user being signed up
  • The name of the database connection to store your user's data
  • Any user profile attribute you want to update for the user, which can include given_name, family_name, name, nickname, and picture.
  • Any custom fields as part of user_metadata

curl --request POST \
  --url 'https://YOUR_DOMAIN/dbconnections/signup' \
  --header 'content-type: application/json' \
  --data '{"client_id": "YOUR_CLIENT_ID","email": "$('\''#signup-email'\'').val()","password": "$('\''#signup-password'\'').val()","connection": "YOUR_CONNECTION_NAME","name": "$('\''#name'\'').val()","user_metadata": {"color": "red"}}'
var client = new RestClient("https://YOUR_DOMAIN/dbconnections/signup");
var request = new RestRequest(Method.POST);
request.AddHeader("content-type", "application/json");
request.AddParameter("application/json", "{\"client_id\": \"YOUR_CLIENT_ID\",\"email\": \"$('#signup-email').val()\",\"password\": \"$('#signup-password').val()\",\"connection\": \"YOUR_CONNECTION_NAME\",\"name\": \"$('#name').val()\",\"user_metadata\": {\"color\": \"red\"}}", ParameterType.RequestBody);
IRestResponse response = client.Execute(request);
package main

import (

func main() {

	url := "https://YOUR_DOMAIN/dbconnections/signup"

	payload := strings.NewReader("{\"client_id\": \"YOUR_CLIENT_ID\",\"email\": \"$('#signup-email').val()\",\"password\": \"$('#signup-password').val()\",\"connection\": \"YOUR_CONNECTION_NAME\",\"name\": \"$('#name').val()\",\"user_metadata\": {\"color\": \"red\"}}")

	req, _ := http.NewRequest("POST", url, payload)

	req.Header.Add("content-type", "application/json")

	res, _ := http.DefaultClient.Do(req)

	defer res.Body.Close()
	body, _ := ioutil.ReadAll(res.Body)


HttpResponse<String> response ="https://YOUR_DOMAIN/dbconnections/signup")
  .header("content-type", "application/json")
  .body("{\"client_id\": \"YOUR_CLIENT_ID\",\"email\": \"$('#signup-email').val()\",\"password\": \"$('#signup-password').val()\",\"connection\": \"YOUR_CONNECTION_NAME\",\"name\": \"$('#name').val()\",\"user_metadata\": {\"color\": \"red\"}}")
var request = require("request");

var options = {
  method: 'POST',
  url: 'https://YOUR_DOMAIN/dbconnections/signup',
  headers: {'content-type': 'application/json'},
  body: {
    client_id: 'YOUR_CLIENT_ID',
    email: '$(\'#signup-email\').val()',
    password: '$(\'#signup-password\').val()',
    connection: 'YOUR_CONNECTION_NAME',
    name: '$(\'#name\').val()',
    user_metadata: {color: 'red'}
  json: true

request(options, function (error, response, body) {
  if (error) throw new Error(error);

#import <Foundation/Foundation.h>

NSDictionary *headers = @{ @"content-type": @"application/json" };
NSDictionary *parameters = @{ @"client_id": @"YOUR_CLIENT_ID",
                              @"email": @"$('#signup-email').val()",
                              @"password": @"$('#signup-password').val()",
                              @"connection": @"YOUR_CONNECTION_NAME",
                              @"name": @"$('#name').val()",
                              @"user_metadata": @{ @"color": @"red" } };

NSData *postData = [NSJSONSerialization dataWithJSONObject:parameters options:0 error:nil];

NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:@"https://YOUR_DOMAIN/dbconnections/signup"]
[request setHTTPMethod:@"POST"];
[request setAllHTTPHeaderFields:headers];
[request setHTTPBody:postData];

NSURLSession *session = [NSURLSession sharedSession];
NSURLSessionDataTask *dataTask = [session dataTaskWithRequest:request
                                            completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) {
                                                if (error) {
                                                    NSLog(@"%@", error);
                                                } else {
                                                    NSHTTPURLResponse *httpResponse = (NSHTTPURLResponse *) response;
                                                    NSLog(@"%@", httpResponse);
[dataTask resume];
$curl = curl_init();

curl_setopt_array($curl, array(
  CURLOPT_URL => "https://YOUR_DOMAIN/dbconnections/signup",
  CURLOPT_POSTFIELDS => "{\"client_id\": \"YOUR_CLIENT_ID\",\"email\": \"$('#signup-email').val()\",\"password\": \"$('#signup-password').val()\",\"connection\": \"YOUR_CONNECTION_NAME\",\"name\": \"$('#name').val()\",\"user_metadata\": {\"color\": \"red\"}}",
    "content-type: application/json"

$response = curl_exec($curl);
$err = curl_error($curl);


if ($err) {
  echo "cURL Error #:" . $err;
} else {
  echo $response;
import http.client

conn = http.client.HTTPSConnection("")

payload = "{\"client_id\": \"YOUR_CLIENT_ID\",\"email\": \"$('#signup-email').val()\",\"password\": \"$('#signup-password').val()\",\"connection\": \"YOUR_CONNECTION_NAME\",\"name\": \"$('#name').val()\",\"user_metadata\": {\"color\": \"red\"}}"

headers = { 'content-type': "application/json" }

conn.request("POST", "/YOUR_DOMAIN/dbconnections/signup", payload, headers)

res = conn.getresponse()
data =

require 'uri'
require 'net/http'
require 'openssl'

url = URI("https://YOUR_DOMAIN/dbconnections/signup")

http =, url.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE

request =
request["content-type"] = 'application/json'
request.body = "{\"client_id\": \"YOUR_CLIENT_ID\",\"email\": \"$('#signup-email').val()\",\"password\": \"$('#signup-password').val()\",\"connection\": \"YOUR_CONNECTION_NAME\",\"name\": \"$('#name').val()\",\"user_metadata\": {\"color\": \"red\"}}"

response = http.request(request)
puts response.read_body
import Foundation

let headers = ["content-type": "application/json"]
let parameters = [
  "client_id": "YOUR_CLIENT_ID",
  "email": "$('#signup-email').val()",
  "password": "$('#signup-password').val()",
  "connection": "YOUR_CONNECTION_NAME",
  "name": "$('#name').val()",
  "user_metadata": ["color": "red"]
] as [String : Any]

let postData = parameters, options: [])

let request = NSMutableURLRequest(url: NSURL(string: "https://YOUR_DOMAIN/dbconnections/signup")! as URL,
                                        cachePolicy: .useProtocolCachePolicy,
                                    timeoutInterval: 10.0)
request.httpMethod = "POST"
request.allHTTPHeaderFields = headers
request.httpBody = postData as Data

let session = URLSession.shared
let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in
  if (error != nil) {
  } else {
    let httpResponse = response as? HTTPURLResponse


Custom fields limitations

When your users sign up, the custom fields are sent as part of user_metadata. The limitations of this field are:

  • user_metadata must contain no more than 10 fields
  • user_metadata.field must be a string
  • user_metadata.field.value.length must be fewer than 500 characters
  • user_metadata.field.length must be fewer than 100 characters
  • The current size limit for user_metadata is 16 MB

Redirect mode

After a successful login, Auth0 will redirect the user to your configured callback URL with a JWT (id_token) in the query string.

To learn more about the differences between popup and redirect modes, please refer to this document.

window.auth0 = new Auth0({
  domain: 'YOUR_DOMAIN',
  clientID: 'YOUR_CLIENT_ID',
  // Callback made to your server's callback endpoint
  callbackURL: 'https://YOUR_APP/callback',

Your server will then need to call APIv2 to add the necessary custom fields to the user's profile.

Add username to the signup form

One common signup customization is to add a username to the signup.

To enable this feature, turn on the Requires Username setting on the Connections > Database section of the dashboard under the Settings tab for the connection you wish to edit.

Capture the username field in your custom form, and add the username to your request body.

<form id="signup">
    <legend>Sign up</legend>
      <input type="email" id="signup-email" placeholder="Email" required/>
      <input type="password" id="signup-password" placeholder="Password"
      <input type="text" id="username" placeholder="username" required/>
    <input type="submit" value="Sign up"/>
var settings = {
  "async": true,
  "crossDomain": true,
  "url": "https://YOUR_DOMAIN/dbconnections/signup",
  "method": "POST",
  "headers": {
    "content-type": "application/x-www-form-urlencoded"
  "data": {
    "client_id": "YOUR_CLIENT_ID",
    "email": $('#signup-email').val(),
    "password": $('#signup-password').val(),
    "connection": "YOUR_CONNECTION_NAME",
    "username": $('#username').val()

$.ajax(settings).done(function (response) {

Optional: Verify password strength

Password policies for database connections can be configured in the dashboard. For more information, see: Password Strength in Auth0 Database Connections.

If required for implementation of custom signup forms, the configured password policies, along with other connection information, can be retrieved from the Management v2 API. The result can be parsed client-side, and will contain information about the current password policy (or policies) configured in the dashboard for that connection.