Please note that rules also run during the token refresh flow.
Authentication transaction flow
An app initiates an authentication request to Auth0.
Auth0 routes the request to an Identity Provider through a configured connection.
The user authenticates successfully.
The ID Token and/or Access Token is passed through the Rules pipeline, then sent to the app.
What can I use Rules for?
Among many possibilities, rules can be used to:
Enrich user profiles: query for information on the user from a database/API, and add it to the user profile object.
Normalize attributes from different providers beyond what is provided by Auth0.
Reuse information from existing databases or APIs for migration scenarios.
Keep a white-list of users and deny access based on email.
Notify other systems through an API when a login happens in real-time.
Enable counters or persist other information. For information on storing user data, see: Metadata in Rules.
Modify tokens: Change the returned scopes of the Access Token and/or add claims to it, and to the ID Token.
In the Dashboard, you can find example templates to help you get started with Rules under Rules > Create Rule. The examples help you with things like MFA, external webhooks, enriching profile information, altering the authentication process, and more. You can use these templates as a starting point, then customizing them to suit your specific needs.
How to Handle Rate Limits when calling Auth0 APIs
For rules that call Auth0 APIs, you should always handle rate limiting by checking the X-RateLimit-Remaining header and acting appropriately when the number returned nears 0. You should also add logic to handle cases in which you exceed the provided rate limits and receive the HTTP Status Code 429 (Too Many Requests); in this case, if a re-try is needed, it is best to allow for a back-off to avoid going into an infinite re-try loop. For more information about rate limits, see Rate Limit Policy For Auth0 APIs.