The End of Life (EOL) date of Rules and Hooks will be November 18, 2026, and they are no longer available to new tenants created as of October 16, 2023. Existing tenants with active Hooks will retain Hooks product access through end of life.We highly recommend that you use Actions to extend Auth0. With Actions, you have access to rich type information, inline documentation, and public npm packages, and can connect external integrations that enhance your overall extensibility experience. To learn more about what Actions offer, read Understand How Auth0 Actions Work.To help with your migration, we offer guides that will help you migrate from Rules to Actions and migrate from Hooks to Actions. We also have a dedicated Move to Actions page that highlights feature comparisons, an Actions demo, and other resources to help you on your migration journey.To read more about the Rules and Hooks deprecation, read our blog post: Preparing for Rules and Hooks End of Life.
The user object stores information about the logged-in user, returned by the . It is generated when a user authenticates and before rules run. Because of the order of events when a user authenticates, changes made to a user’s profile from within a rule will only be available in the current user object if you also save the changes to the user object from within the same rule. To learn more about the authentication transaction flow, read the “How rules work” section in Create Rules.
Use unique names for root properties in the user object and properties within app_metadata. Because properties within app_metadata are merged into the user object, root properties that share names with properties in app_metadata may have their values overwritten when running rules.

Properties

The following properties are available for the user object.
PropertyData TypeDescription
user.app_metadataobjectCustom fields that store info about a user that influences the user’s access, such as support plan, security roles, or access control groups. Is undefined by default. For more info, see Metadata.
user.created_atdate timeTimestamp indicating when the user profile was first created.
user.emailtext(unique) User’s email address.
user.email_verifiedbooleanIndicates whether the user has verified their email address.
user.family_nametextUser’s family name.
user.given_nametextUser’s given name.
user.identitiesarray (object)Contains info retrieved from the identity provider with which the user originally authenticates. Users may also link their profile to multiple identity providers; those identities will then also appear in this array. The contents of an individual identity provider object varies by provider, but it will typically include the following:
  • connection (text): Name of the Auth0 connection used to authenticate the user.
  • isSocial (boolean): Indicates whether the connection is a social one.
  • provider (text): Name of the entity that is authenticating the user, such as Facebook, Google, SAML, or your own provider.
  • user_id (text): User’s unique identifier for this connection/provider. The first user_id linked becomes the primary unique identifier for the user.
  • profileData (object): User information associated with the connection. When profiles are linked, it is populated with the associated user info for secondary accounts.
In some cases, it will also include an API to be used with the provider.
user.last_password_resetdate timeTimestamp indicating the last time the user’s password was reset/changed. At user creation, this field does not exist. This property is only available for Database connections.
user.multifactorarray (text)List of multi-factor authentication (MFA) providers with which the user is enrolled. This array is updated when the user enrolls in MFA and when an administrator resets a user’s MFA enrollments.
user.nametextUser’s full name.
user.nicknametextUser’s nickname.
user.permissionstextPermissions assigned to the user’s ID token if using the Authorization Extension.
user.phone_numbertextUser’s phone number. Only valid for users with SMS connections.
user.phone_verifiedbooleanIndicates whether the user has verified their phone number. Only valid for users with SMS connections.
user.picturetextURL pointing to the user’s profile picture.
user.updated_atdate timeTimestamp indicating when the user’s profile was last updated/modified. Changes to last_login are considered updates, so most of the time, updated_at will match last_login.
user.user_idtext(unique) User’s primary unique identifier.
user.user_metadataobjectCustom fields that store info about a user that does not impact what they can or cannot access, such as work address, home address, or user preferences. For more info, see Metadata.
user.usernametext(unique) User’s username.