Refresh token metadata allows the storage of customizable keys and values (maximum 255 characters each) in an Auth0 refresh token. Use cases for refresh token metadata include:Documentation Index
Fetch the complete documentation index at: https://docs-staging.auth0-mintlify.app/llms.txt
Use this file to discover all available pages before exploring further.
- Track device information, such as device name or login location
- Store token-level flags, for example,
user_accepted_termsorsession_type - Share state between multiple Actions in the same flow
- Drive conditional logic for token issuance or revocation
- Audit and analytics pipelines that need to be aware of user context data
Supported flows
You can set refresh token metadata using Post-Login Actions with the following OAuth 2.0 flows:- Authorization Code Flow
- Resource Owner Password Grant
- Device Authorization Grant
- Federated Connection Flows
- Client-Initiated Backchannel Authentication (CIBA)
- Native Passkeys
- Refresh Token Exchange
You can set refresh token metadata during any of the supported flows above. However, existing metadata is only available to read via the
event.refresh_token.metadata object during refresh token exchange scenarios where event.refresh_token exists. At the initial login, event.refresh_token does not exist, so you can only set metadata—not read it. During a refresh token exchange, you can both read existing metadata and set new values.Limitations
- Refresh token metadata is limited to 25 entries maximum
- Each key and value must be 255 characters or less
- Metadata keys may only include letters, numbers, underscores, or hyphens