User Object in Rules

The user object represents the logged in user, returned by the identity provider.

Properties of the user object

The following properties are available for the user object.

Property Data Type Description
user.app_metadata object Custom fields that store info about a user that influences the user's access, such as support plan, security roles, or access control groups. For more info, see Metadata.
user.created_at date time Timestamp indicating when the user profile was first created. text (unique) The user's email address.
user.email_verified boolean Indicates whether the user has verified their email address.
user.family_name text The user's family name.
user.given_name text The user's given name.
user.identities array (object)

Contains info retrieved from the identity provider with which the user originally authenticates. Users may also link their profile to multiple identity providers; those identities will then also appear in this array. The contents of an individual identity provider object varies by provider, but it will typically include the following:

  • connection (text): Name of the Auth0 connection used to authenticate the user.
  • isSocial (boolean): Indicates whether the connection is a social one.
  • provider (text): Name of the entity that is authenticating the user, such as Facebook, Google, SAML, or your own provider.
  • .user_id (text): User's unique identifier for this connection/provider.
  • .profileData (object): User info associated with the connection. When profiles are linked, it is populated with the associated user info for secondary accounts.

In some cases, it will also include an API Access Token to be used with the provider.

user.last_password_reset date time Timestamp indicating the last time the user's password was reset/changed. At user creation, this field does not exist.
user.multifactor array (text) List of multi-factor authentication (MFA) providers with which the user is enrolled. This array is updated when the user logs in with MFA successfully for the first time, and is not updated when enrollment is completed or when an administrator resets a user's MFA. text The user's full name.
user.nickname text The user's nickname.
user.permissions text The permissions assigned to the user's ID token
user.phone_number text The user's phone number. Only valid for users with SMS connections.
user.phone_verified boolean Indicates whether the user has been verified their phone number. Only valid for users with SMS connections.
user.picture text URL pointing to the user's profile picture.
user.updated_at date time Timestamp indicating when the user's profile was last updated/modified. Changes to last_login are considered updates, so most of the time, updated_at will match last_login.
user.user_id text (unique) The user's unique identifier.
user.user_metadata object Custom fields that store info about a user that does not impact what they can or cannot access, such as work address, home address, or user preferences. For more info, see Metadata.
user.username text (unique) The user's username.

The user object with Delegation flows

However, if you execute the rule in the context of a call made to the delegation endpoint, the user object will also include the original JSON Web Token (JWT) claims:

  "name": "FirstName LastName",
  "email": "",
  "iss": "",
  "sub": "auth0|user_id",
  "aud": "<audience id for my auth0 app>",
  "iat": 1566405149,
  "exp": 1566441149,
  "persistent": {}