Auth0 session and refresh token metadata provide a way to attach ephemeral, instance-specific key-value pairs to authentication artifacts without polluting the global user profile. Session metadata suits browser-based SSO flows and supports use cases like TLS/JA3/JA4 device fingerprinting and real-time risk flagging via the Management API. Refresh token metadata is better suited for native and mobile apps, enabling persistent context like referral attribution, language preferences, and friendly device names across token rotations. Both can be set via Post-Login Actions or updated out-of-band through the Management API. The guide also covers what not to store (secrets, PII, large objects) and how to choose between transaction, session, refresh token, and user profile metadata depending on data lifetime and scope. This feature is available on Auth0 Enterprise Plans.
Table of contents
The Challenge of Contextual IdentityImplementing Session Metadata for Web ApplicationsLeveraging Refresh Token Metadata for Native and Mobile AppsWhat Never to Store in MetadataChoose the Right Tool for the JobReady to Build? Here Is Your Get-Started ChecklistSort: