Rules Anatomy Best Practices
The End of Life (EOL) date of Rules and Hooks will be November 18, 2024, and they are no longer available to new tenants created as of October 16, 2023. Existing tenants with active Hooks will retain Hooks product access through end of life.
We highly recommend that you use Actions to extend Auth0. With Actions, you have access to rich type information, inline documentation, and public npm packages, and can connect external integrations that enhance your overall extensibility experience. To learn more about what Actions offer, read Understand How Auth0 Actions Work.
To help with your migration, we offer guides that will help you migrate from Rules to Actions and migrate from Hooks to Actions. We also have a dedicated Move to Actions page that highlights feature comparisons, an Actions demo, and other resources to help you on your migration journey.
To read more about the Rules and Hooks deprecation, read our blog post: Preparing for Rules and Hooks End of Life.
A rule is essentially an anonymous JavaScript function that is passed three parameters: a user object, a context object, and a callback function.
function (user, context, callback) {
// TODO: implement your rule
return callback(null, user, context);
}Was this helpful?
Do not add a trailing semicolon at the end of the function declaration as this will break rule execution.
Anonymous functions make it hard to interpret the call-stack generated as a result of any exceptional error condition. For convenience, use compact and unique naming conventions to assist with diagnostic analysis (e.g., function MyRule1 (user, context, callback) {...}). To learn more, read Error Handling Best Practices.
Rules execute in the pipeline associated with the generation of artifacts for authenticity that forms part of the overall Auth0 engine. When a pipeline is executed, all enabled rules are packaged together in the order in which they are listed and sent as one code blob to be executed as an Auth0 serverless Webtask. To see the entire Auth0 engine, download Inside the Auth0 Engine.
Size
We recommend that the total size of implementation for all enabled rules should not exceed 100 kB. The larger the size, the more latency is introduced due to the packaging and transport process employed by the Auth0 serverless Webtask platform, and this will have an impact on the performance of your system. Note that the 100 kB limit does not include any npm modules that may be referenced as part of any require statements.
Order
The order in which rules are displayed in the Auth0 Dashboard dictates the order in which the rules will be executed. This is important because one rule may make one or more definitions within the environment associated with execution that another rule may depend upon. In this case, the rule making the definition(s) should execute before the rule that makes use of it. To learn more, read Rules Environment Best Practices.
Run expensive rules that call APIs (including the Auth0 Management API) as late as possible. If you have other, less expensive rules that could cause an unauthorized access determination, then you should run these first.