User Profile Structure

There are several components to the User Profile data structure in Auth0. This structure can be viewed by clicking on the Users tab in the Auth0 Dashboard and then on a particular user.

The Details consists of core User Profile object with basic information such as name, email, and the timestamp of the latest login. The core User Profile object may contain additional attributes from its source Connection, in addition to the normalized Auth0 User Profile attributes.

The User Profile object also has two metadata sub-objects, one called user_metadata and the other app_metadata. The metadata objects can be used to store additional User Profile information. The user_metadata object should be used to store user attributes, such as user preferences, that don't impact what a user can access. The app_metadata object should be used for user attributes, such as a support plan, security roles, or access control groups, which can impact how an application functions and/or what the user can access. Learn more about when to use app_metadata vs user_metadata.

User Metadata Best Practices

  • Both app_metadata and user_metadata are limited to a size of 16mb each. However, we recommend against using these properties like a database. They should be used for identity related information. Additionally, at some point we may put a more strict size limit on these properties. Please also be aware that using Rules and/or the Management Dashboard may further limit the amount of metadata you can store.

  • An authenticated user can perform actions that modify data in their profile's user_metadata, but they can't do anything that modifies their app_metadata.

  • Use a consistent datatype each time you create or update a given metadata field. Using user.user_metadata.age = "23" for one user and user.user_metadata.age = 23 for another user will cause issues when retrieving the data.


The Identity Provider Attributes section contains information retrieved from the authentication provider (such as Facebook, Twitter, Google, SAML, your own provider, and so on). This section always contains at least one identity provider, and it is the one the user originally authenticated against. This data is read-only.

Auth0 also supports the ability for users to link their profile to multiple identity providers, and when they do, those additional identities show up in this array. The contents of an individual identity provider object varies by provider, but it will typically include a user identifier, the name of the provider, the name of the connection set up in Auth0 for that provider, whether it is a social provider, and in some cases an API Access Token that can be used with that provider. The following attributes are available on the user profile:

Name Data Type Description
app_metadata object Custom fields that store info about a user that influences the user's access. For more info, see Metadata Overview.
blocked boolean The true/false value indicating if the user has been blocked.
created_at date time The timestamp of when the user profile was first created.
email text (unique) The user's email address.
email_verified boolean The true/false value indicating if the user has verified their email address.
identities array (object)

Array of user identity objects. Each identity object has these properties:

  • connection (text): Connection used to authenticate the user.
  • isSocial (boolean): Value (true/false) indicating if the connection is a social one or not.
  • provider (text): Entity that is authenticating the user (such as Facebook, Twitter, and so on).
  • user_id (text): User's unique identifier for this connection/provider.
multifactor text The list of multi-factor providers in which the user is enrolled.
last_ip text The IP address associated with the user's last login.
last_login date time The timestamp of when the user last logged in. If you are using this property from inside a Rule using the user object, its value will be associated with the login that triggered the rule (since rules execute after the actual login).
logins_count integer The number of times the user has logged in. If a user is blocked and logs in, the blocked session is counted in logins_count and updates the last_login value.
name text The user's name.
nickname text The user's nickname.
last_password_reset date time The last time the password was reset/changed.
password_set_date date time The date when the user's password was set. At user creation, this field exists, but last_password_reset does not. If the user has reset their password, this field and last_password_reset are identical.
phone_number text The user's phone number. Only valid for users with SMS connections.
phone_verified boolean The true/false value indicating whether the user's phone number has been verified. Only valid for users with SMS connections.
picture text URL pointing to the user's profile picture.
updated_at date time The timestamp of when the user's profile was last updated/modified.
user_id text (unique) The user's identifier.
user_metadata object Custom fields that store info about a user that does not impact what they can or cannot access (such as work and home address). For more info, see Metadata Overview.
username text (unique) The user's username.

Most user profile fields are not returned as part of ID Token, nor are they included in the response from the /userinfo endpoint of the Authentication API. To retrieve user datails from these fields you will need to utilize one of the User endpoints of the Management API. For more information on the endpoints you can use to retrieve users, see User Search Best Practices.

Blacklist user attributes

If there are user fields that should not be stored by Auth0 due to privacy reasons, you can blacklist the attributes you do not want persisting in Auth0 databases. For details, see Blacklist User Attributes.

Keep reading