In addition to the Normalized User Profile information, you can use metadata to store information that does not originate from an identity provider, or that overrides what an identity provider supplies.

There are three types of data typically stored in the app_metadata field:

  • Permissions: privileges granted to certain users allowing them rights within the application that others do not have.
  • Plan information: settings that cannot be changed by the user without confirmation from someone with the appropriate authority.
  • External IDs: identifying information used to associate users with external accounts.

Auth0 distinguishes between two types of metadata used to store specific kinds of information:

  • User metadata: stores user attributes such as preferences that do not impact a user's core functionality. Logged in users can edit their data stored in user_metadata if you build a form for them using the Management API PATCH endpoint with the scope update:current_user_metadata.
  • App metadata: stores information (such as, support plan subscriptions, security roles, or access control groups) that can impact a user's core functionality, such as how an application functions or what the user can access. Data stored in app_metadata cannot be edited by users. See App metadata restrictions for what cannot be stored in this field.

Data unrelated to user authentication should always be stored in an external database and not in the user profile metadata.

In the following example, the user has the following metadata stored with their profile.

    "emails": "",
    "user_metadata": {
        "hobby": "surfing"
    "app_metadata": {
        "plan": "full"

In the above example metadata, within a Rule or via a call to the Management API, you could reference specific items from the data set as follows:

console.log(; // ""
console.log(user.user_metadata.hobby); // "surfing"
console.log(user.app_metadata.plan); // "full"

Rather than storing profile-related information in user_metadata, you can edit these user attributes on the normalized user profile. If you want to be able to edit these attributes, you must configure your connection sync with Auth0 so that user attributes will be updated from the identity provider only on user profile creation. Root attributes will then be available to be edited individually or by bulk import using the Management API.

Keep reading