Skip to main content
Session metadata allows the storage of customizable keys and values (maximum 255 characters each) in an Auth0 user session. Use cases for session metadata include:
  • Track device information, such as device name or login location
  • Store session-level flags, for example, user_accepted_terms
  • Share state between multiple Actions in the same flow
  • Drive conditional logic for logout or token issuance
You can use session metadata information downstream systems such as audit, analytics, and revocation pipelines that may need to be aware of a user’s organization data. To learn more, read Use case: Organization Information in Session Metadata. You can access and modify session metadata during a session’s lifecycle using Auth0 Actions and the Management API. In addition, you can include session metadata in the OpenID Connect Back-Channel Logout token. To learn more, read how to Configure Session Metadata.
Auth0 Session Metadata is not a secure data store and should not be used to store sensitive information. This includes secrets and high-risk PII like social security numbers or credit card numbers, etc. Auth0 customers are strongly encouraged to evaluate the data stored in metadata and only store that which is necessary for identity and access management purposes. To learn more, read Auth0 General Data Protection Regulation Compliance.

Limitations

  • Session metadata is available only when created in a browser-based session
  • Auth0 does not support session metadata with the following:
    • Resource Owner Password Flow
    • Native Passkeys
    • Native Social Logins such as Sign in with Apple, Google, or Facebook