Docs

Blacklist User Attributes

If there are user fields that should not be stored in Auth0 databases due to privacy reasons, you can blacklist them.

Use the Management API

To blacklist attributes make a PATCH call to the Update Connection endpoint of the Management API.

Step 1. Get a token

First, you need a valid Access Token to access that endpoint. The token must include the update:connections scope.

For detailed steps on how to get one, see Access Tokens for the Management API.

Step 2. Call the API

One you have the token (and the list of attributes to be blacklisted), you are ready to call the API.

Here is a sample HTTP request that blacklists two attributes: ethnicity and gender.




Where:

  • YOUR_CONNECTION_ID is the Id of the connection for which these attributes will be blacklisted
  • YOUR_TOKEN is the Access Token you got in the previous step
  • The options.non_persistent_attrs object holds an array of the attributes that will be blacklisted

Limitations

  • Only root fields (such as user.name or user.email) can be blacklisted
  • When you blacklist attributes, they will be still be available via rules and outgoing tokens. However, if any of the following apply, the blacklist attributes will not be included in tokens:
    • You have enabled multi-factor authentication (MFA)
    • You have performed a redirect via rules
    • Your app is using delegation (and you haven't set scope = passthrough)
    • Your app is using impersonation
    • You have enabled the Use Auth0 instead of the IdP to do Single Sign-On setting
  • For SAMLP connections, if you enable Debug mode, your logs will contain information on the blacklisted attributes

Working around the limitations

If any of these limitations are unacceptable, you can write a rule to encrypt the data and have the data persist to the user.app_metadata object.