Blacklist User Attributes
If there are user fields that should not be stored in Auth0 databases due to privacy reasons, you can blacklist them.
Use the Management API
To blacklist attributes make a
PATCH call to the Update Connection endpoint of the Management API.
Step 1. Get a token
First, you need a valid Access Token to access that endpoint. The token must include the
For detailed steps on how to get one, see Access Tokens for the Management API.
Step 2. Call the API
One you have the token (and the list of attributes to be blacklisted), you are ready to call the API.
Here is a sample HTTP request that blacklists two attributes:
YOUR_CONNECTION_IDis the Id of the connection for which these attributes will be blacklisted
YOUR_TOKENis the Access Token you got in the previous step
options.non_persistent_attrsobject holds an array of the attributes that will be blacklisted
- Only root fields (such as
user.email) can be blacklisted
- When you blacklist attributes, they will be still be available via rules and outgoing tokens. However, if any of the following apply, the blacklist attributes will not be included in tokens:
- You have enabled multi-factor authentication (MFA)
- You have performed a redirect via rules
- Your app is using delegation (and you haven't set
scope = passthrough)
- Your app is using impersonation
- You have enabled the Use Auth0 instead of the IdP to do Single Sign-On setting
- For SAMLP connections, if you enable Debug mode, your logs will contain information on the blacklisted attributes
Working around the limitations
If any of these limitations are unacceptable, you can write a rule to encrypt the data and have the data persist to the