Skip to main content
Session metadata makes the user context data portable and visible across the session lifecycle and in logout events. Downstream systems can use session metadata information to conduct audits, perform analytics, and apply revocation pipelines, among other uses.
Auth0 Session Metadata is not a secure data store and should not be used to store sensitive information. This includes secrets and high-risk PII like social security numbers or credit card numbers, etc. Auth0 customers are strongly encouraged to evaluate the data stored in metadata and only store that which is necessary for identity and access management purposes. To learn more, read Auth0 General Data Protection Regulation Compliance.

Add organization information to session metadata

You can use Actions to store the organization’s identifiers in a session with the post-login api.session.setMetadata() method and query it with the event.session.metadata object. Post-Login Action code: 
/**
 * Post-Login Action (simple)
 * Adds organization context to session metadata so it appears in subsequent Actions,
 * the Management API, and (if enabled) the Back-Channel Logout token.
 */
exports.onExecutePostLogin = async (event, api) => {
  // Only proceed if the transaction targets an Organization
  if (!event.organization) return;

  // Keep values short and string-only (session metadata requires strings)
  const orgId = String(event.organization.id || "");
  const orgSlug = String(event.organization.name || "");
  const orgDisplay = String(event.organization.display_name || orgSlug);

  // Minimal, idempotent writes (only a few keys to stay well under limits)
  api.session.setMetadata("org_id", orgId);
  api.session.setMetadata("org_slug", orgSlug);
  api.session.setMetadata("org_name", orgDisplay);
};
The session metadata is available for subsequent Actions, retrievable via the Management API and can be included in the OpenID Connect Back-Channel Logout token.
  • In subsequent Actions, you can query the data via the event.session.metadata object:
const orgId = event.session.metadata?.org_id;
  • If you use the Management API, you can query the data via the /api/v2/sessions/ endpoint:
GET /api/v2/sessions/{id}
Sample response: 
{
  "session_metadata": {
    "org_id": "org_abc123",
    "org_slug": "acme",
    "org_name": "Acme Corp"
  }
}
Calls to the /api/v2/sessions/{id} endpoint require a Management API access token with the update:session scope.
{
  "events": { "http://schemas.openid.net/event/backchannel-logout": {} },
  "session_metadata": {
    "org_id": "org_abc123",
    "org_slug": "acme",
    "org_name": "Acme Corp"
  }
}