In the Auth0 dashboard, navigate to Actions > Library and create a new custom action bound to the Login / Post Login trigger.
Inside the action, access user metadata via event.user.user_metadata and event.user.app_metadata, and read connection or client information from event.connection and event.client.
Set custom claims on the ID token using api.idToken.setCustomClaim('https://your-namespace/claim-name', value) and on the access token using api.accessToken.setCustomClaim('https://your-namespace/claim-name', value).
Use a namespace formatted as a URL you control (e.g., https://myapp.example.com/) to avoid collisions with standard OIDC claims; namespaces under auth0.com are reserved and will be stripped.
Add the action to the Login flow by navigating to Actions > Flows > Login and dragging your action into the flow diagram between Start and Complete.
Deploy and test by using the Auth0 testing tool in the action editor, then verify the claims appear in a live token by authenticating and decoding the JWT.
Known gotchas
Claims without a valid namespace (a URL) may be silently stripped from the token rather than causing an error; always verify your token payload after deployment.
api.accessToken.setCustomClaim and api.idToken.setCustomClaim are separate calls; setting a claim on one does not propagate it to the other.
Actions run synchronously during login; any async operation (database lookup, external API call) that times out will block or fail the login — add explicit error handling and timeouts.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp