Metadata
In addition to the Normalized User Profile information, you can use metadata to store information that does not originate from an identity provider, or that overrides what an identity provider supplies.
There are three types of data typically stored in the app_metadata
field:
Permissions: privileges granted to certain users allowing them rights within the application that others do not have.
Plan information: settings that cannot be changed by the user without confirmation from someone with the appropriate authority.
External IDs: identifying information used to associate users with external accounts.
Auth0 distinguishes between two types of metadata used to store specific kinds of information:
User metadata: stores user attributes such as preferences that do not impact a user's core functionality. Logged in users can edit their data stored in
user_metadata
if you build a form for them using the Management APIPatch
endpoint with the scopeupdate:current_user_metadata
.App metadata: stores information (such as, support plan subscriptions, security roles, or access control groups) that can impact a user's core functionality, such as how an application functions or what the user can access. Data stored in
app_metadata
cannot be edited by users. See App metadata restrictions for what cannot be stored in this field.
Data unrelated to user authentication should always be stored in an external database and not in the user profile metadata.
Configure connection sync
Rather than storing profile-related information in user metadata, you can edit these user attributes on the normalized user profile. Configure connection sync so that user attributes are updated by the identity provider only on user profile creation. Root attributes will then be available to be edited individually or by bulk import.