Blacklisting User Attributes

In the event that there are user fields that should not be stored by Auth0 due to privacy reasons, you can blacklist the attributes you do not want persisting in Auth0 databases.

Blacklisting Attributes via the Management API

You may blacklist selected attributes by making a PATCH /api/v2/connections/{id} call to the Management API.

To assist you in creating the appropriate request, you may use the Update a Connection section of the APIv2 Explorer Page.

Prior to beginning, please ensure that you are logged in to an account that is permitted to make changes to your Auth0 configuration. This will allow the API Explorer to dynamically generate the required API token with the necessary API Key and Secret.

Making a Test Call or Generating the cURL Command via the API Explorer Page

  1. Under Scopes, click on "update:connections" to add the scope required for this particular endpoint to the API token.
  2. Populate the id field with ID of the connection you would like to update.
  3. Populate the body field with the JSON snippet that contains the information that will be used to update your configuration.
  4. Click on "TRY" to get a test response to your input.
  5. If you are satisfied with the results of your test call to the API, click "get curl command" to get the constructed call.

Sample cURL command:

curl -H "Authorization: Bearer YOUR_TOKEN" -X PATCH  -H "Content-Type: application/json" -d '{REQUEST BODY}' https://YOUR_AUTH0_DOMAIN/api/v2/tenants/settings

When updating the JSON that will be included in the body, please note that the fields you would like to blacklist are included in options:

  "options": {
    "non_persistent_attrs": ["", ""]
  "enabled_clients": [

HTTP Request:

curl --request PATCH \
  --url 'https://YOUR_AUTH0_DOMAIN/api/v2/tenants/settings' \
  --header 'authorization: Bearer YOUR_TOKEN' \
  --data '{"options": {"non_persistent_attrs": ["", ""]}", "enabled_clients": [""]}'
var client = new RestClient("https://YOUR_AUTH0_DOMAIN/api/v2/tenants/settings");
var request = new RestRequest(Method.PATCH);
request.AddHeader("authorization", "Bearer YOUR_TOKEN");
request.AddParameter("undefined", "{\"options\": {\"non_persistent_attrs\": [\"\", \"\"]}\", \"enabled_clients\": [\"\"]}", ParameterType.RequestBody);
IRestResponse response = client.Execute(request);
package main

import (

func main() {

	url := "https://YOUR_AUTH0_DOMAIN/api/v2/tenants/settings"

	payload := strings.NewReader("{\"options\": {\"non_persistent_attrs\": [\"\", \"\"]}\", \"enabled_clients\": [\"\"]}")

	req, _ := http.NewRequest("PATCH", url, payload)

	req.Header.Add("authorization", "Bearer YOUR_TOKEN")

	res, _ := http.DefaultClient.Do(req)

	defer res.Body.Close()
	body, _ := ioutil.ReadAll(res.Body)


HttpResponse<String> response = Unirest.patch("https://YOUR_AUTH0_DOMAIN/api/v2/tenants/settings")
  .header("authorization", "Bearer YOUR_TOKEN")
  .body("{\"options\": {\"non_persistent_attrs\": [\"\", \"\"]}\", \"enabled_clients\": [\"\"]}")
var settings = {
  "async": true,
  "crossDomain": true,
  "url": "https://YOUR_AUTH0_DOMAIN/api/v2/tenants/settings",
  "method": "PATCH",
  "headers": {
    "authorization": "Bearer YOUR_TOKEN"
  "data": "{\"options\": {\"non_persistent_attrs\": [\"\", \"\"]}\", \"enabled_clients\": [\"\"]}"

$.ajax(settings).done(function (response) {
var request = require("request");

var options = { method: 'PATCH',
  url: 'https://YOUR_AUTH0_DOMAIN/api/v2/tenants/settings',
  headers: { authorization: 'Bearer YOUR_TOKEN' },
  body: '{"options": {"non_persistent_attrs": ["", ""]}", "enabled_clients": [""]}' };

request(options, function (error, response, body) {
  if (error) throw new Error(error);

#import <Foundation/Foundation.h>

NSDictionary *headers = @{ @"authorization": @"Bearer YOUR_TOKEN" };

NSData *postData = [[NSData alloc] initWithData:[@"{"options": {"non_persistent_attrs": ["", ""]}", "enabled_clients": [""]}" dataUsingEncoding:NSUTF8StringEncoding]];

NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:@"https://YOUR_AUTH0_DOMAIN/api/v2/tenants/settings"]
[request setHTTPMethod:@"PATCH"];
[request setAllHTTPHeaderFields:headers];
[request setHTTPBody:postData];

NSURLSession *session = [NSURLSession sharedSession];
NSURLSessionDataTask *dataTask = [session dataTaskWithRequest:request
                                            completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) {
                                                if (error) {
                                                    NSLog(@"%@", error);
                                                } else {
                                                    NSHTTPURLResponse *httpResponse = (NSHTTPURLResponse *) response;
                                                    NSLog(@"%@", httpResponse);
[dataTask resume];
$curl = curl_init();

curl_setopt_array($curl, array(
  CURLOPT_URL => "https://YOUR_AUTH0_DOMAIN/api/v2/tenants/settings",
  CURLOPT_POSTFIELDS => "{\"options\": {\"non_persistent_attrs\": [\"\", \"\"]}\", \"enabled_clients\": [\"\"]}",
    "authorization: Bearer YOUR_TOKEN"

$response = curl_exec($curl);
$err = curl_error($curl);


if ($err) {
  echo "cURL Error #:" . $err;
} else {
  echo $response;
import http.client

conn = http.client.HTTPSConnection("")

payload = "{\"options\": {\"non_persistent_attrs\": [\"\", \"\"]}\", \"enabled_clients\": [\"\"]}"

headers = { 'authorization': "Bearer YOUR_TOKEN" }

conn.request("PATCH", "/YOUR_AUTH0_DOMAIN/api/v2/tenants/settings", payload, headers)

res = conn.getresponse()
data =

require 'uri'
require 'net/http'

url = URI("https://YOUR_AUTH0_DOMAIN/api/v2/tenants/settings")

http =, url.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE

request =
request["authorization"] = 'Bearer YOUR_TOKEN'
request.body = "{\"options\": {\"non_persistent_attrs\": [\"\", \"\"]}\", \"enabled_clients\": [\"\"]}"

response = http.request(request)
puts response.read_body
import Foundation

let headers = ["authorization": "Bearer YOUR_TOKEN"]

let postData = NSData(data: "{"options": {"non_persistent_attrs": ["", ""]}", "enabled_clients": [""]}".dataUsingEncoding(NSUTF8StringEncoding)!)

var request = NSMutableURLRequest(URL: NSURL(string: "https://YOUR_AUTH0_DOMAIN/api/v2/tenants/settings")!,
                                        cachePolicy: .UseProtocolCachePolicy,
                                    timeoutInterval: 10.0)
request.HTTPMethod = "PATCH"
request.allHTTPHeaderFields = headers
request.HTTPBody = postData

let session = NSURLSession.sharedSession()
let dataTask = session.dataTaskWithRequest(request, completionHandler: { (data, response, error) -> Void in
  if (error != nil) {
  } else {
    let httpResponse = response as? NSHTTPURLResponse



Only root fields (e.g. or may be blacklisted.

When you blacklist attributes, they will be still be available via:

  • rules;
  • outgoing tokens.

However, if any of the following apply, the blacklist attributes will not be included in tokens:

  • You have enabled multifactor authentication;
  • You have performed a redirect via rules;
  • Your app is using delegation (and you haven't set scope = passthrough);
  • Your app is using impersonation;
  • You have enabled the Use Auth0 instead of the IdP to do Single Sign On setting.

For SAMLP connections, if you enable 'Debug' mode, your logs will contain information on the blacklisted attributes.

Working with the Limitations

If any of the above limitations regarding blacklisted attributes are unacceptable, you may write a rule to encrypt the data and have the data persist the user.app_metadata object.