- Details: Core User Profile object, which contains basic info, such as name, email, and timestamp of the user’s latest login, in pre-defined attributes. This object may also contain info from a user’s source connection. Most of the user attributes are root attributes (attributes stored at the first, or root, level of the
userobject), and some of these are editable. - Metadata: Two sub-objects that operate as secondary storage to store additional user info in customizable attributes:
user_metadataandapp_metadata. To learn more, including when to useapp_metadataanduser_metadata, read Understand How Metadata Works in User Profiles.
User profile attributes
The following attributes are available on the user profile. Many are root attributes (attributes stored at the first, or root, level of theuser object), and some may be updated, imported, and exported, as noted below.
If there are user fields that should not be stored by Auth0 due to privacy reasons, you can add the attributes you do not want persisting in Auth0 databases to the DenyList. To learn more, read Add User Attributes to the Deny List.
By default, user profile attributes provided by other than Auth0 (such as Google, Facebook, or X) are not directly editable because they are updated from the identity provider each time the user logs in. Fore more information on attributes from identity providers, read Configure Identity Provider Connection for User Profile Updates.
To be able to edit the name, nickname, given_name, family_name, or picture root attributes on the normalized user profile, you must configure your connection sync with Auth0 so that user attributes will be updated from the identity provider only on user profile creation. These root attributes will then be available to be edited individually or by bulk imports
User profile validation
Auth0 accepts a specific validation schema for certain fields in the user profile. See the table below for a list of requirements when setting profile attribute values.All characters are converted to lowercase when saved to the User Profile.This is true for all Auth0 database connections. When Auth0 DB is not the source of truth (for example, custom DB with import mode off) as well as other kinds of social enterprise connections where Auth0 is not the source of truth, the email is retained as-is and not converted to lower case.
Three other fields are not technically part of the user profile, but may be of interest when importing users:
password_hash(text): Hashed password for the user’s connection. When users are created, Auth0 uses bcrypt to secure the password. Importing compatible hashed passwords allows users to retain their passwords, thereby providing a smoother experience. Compatible passwords should be hashed using bcrypt or and have 10 saltRounds. Note that you can provide this field only when the user is first imported; you cannot update it later.custom_password_hash(object): Hashed password for the user’s connection when created using an alternate algorithm. Used in place of thepassword_hashfield. During the bulk import process, you can update thecustom_password_hashif the user did not login using the initially importedcustom_password_hash.