Manage User Metadata with the post-login Action Trigger

Auth0 provides a rich system for storing metadata on the Auth0 user profile. You can configure a post-login trigger to modify user_metadata and app_metadata as part of a user’s login flow. Post-login triggers are useful for tasks such as storing application-specific data on the user profile, capturing user operation logs, mapping SAML attributes to the metadata field, or caching expensive operation values on the User profile for re-used in future logins.

The post-login api object provides common operations that can be performed in this trigger. To manage user metadata, we want to use the api.user.setAppMetadata and api.user.setUserMetadata methods. For example, to guard against some behavior running more than once for a specific user, consider an Action that looks like this:

exports.onExecutePostLogin = async (event, api) => {
  if (event.user.app_metadata.didAnExpensiveTask) {
    console.log(`Skipping the expensive task because it already occurred for ${}.`);
  // do and expensive task
  api.user.setAppMetadata("didAnExpensiveTask", true);

Was this helpful?


Here, we added a check at the start of the Action to see if we have already performed the expensive task for this user. If the metadata field exists, then we return from the function.

At the end of the Action, we call api.user.setAppMetadata to signal that we would like to store some metadata on the user object. At the end of each trigger’s execution, Actions will update the user profile as a single operation. If several calls are made to setUserMetadata actions, even if they are made in different actions as part of the same flow, Actions will only update the user profile a single time--at the end of the trigger’s execution.

Best practices

Beware of storing too much data in the Auth0 profile. This data is intended to be used for authentication and authorization purposes, and users can edit their own user_metadata field, so don't store sensitive data in it. The metadata and search capabilities of Auth0 are not designed for marketing research or anything else that requires heavy search or update frequency. Your system is likely to run into scalability and performance issues if you use Auth0 for this purpose. A better approach is to store data in an external system and store a pointer (the user ID) in Auth0 so that backend systems can fetch the data if needed.

Rate limits

Even though a single call is made to update the user profile, that operation is still subject to your tenant’s "Write User" rate limits. If the Rate Limit is hit when attempting to update metadata, Actions will retry the request as long as a 429 HTTP status code is returned. The delay between retries is governed by the value of the X-RateLimit-Reset header returned as part of the 429 response.


In the event of a Redirect invoked with api.redirect.sendUserTo(), any pending user or app metadata updates will be applied to the user profile before the user is redirected to the external site. To learn more, see Redirecting With Actions.

Learn more