- Track device information, such as device name or login location
- Store token-level flags, for example,
user_accepted_termsorsession_type - Share state between multiple Actions in the same flow
- Drive conditional logic for token issuance or revocation
- Audit and analytics pipelines that need to be aware of user context data
Supported flows
You can set refresh token metadata using Post-Login Actions with the following OAuth 2.0 flows:- Authorization Code Flow
- Resource Owner Password Grant
- Device Authorization Grant
- Federated Connection Flows
- Client-Initiated Backchannel Authentication (CIBA)
- Native Passkeys
- Refresh Token Exchange
You can set refresh token metadata during any of the supported flows above. However, existing metadata is only available to read via the
event.refresh_token.metadata object during refresh token exchange scenarios where event.refresh_token exists. At the initial login, event.refresh_token does not exist, so you can only set metadata—not read it. During a refresh token exchange, you can both read existing metadata and set new values.Limitations
- Refresh token metadata is limited to 25 entries maximum
- Each key and value must be 255 characters or less
- Metadata keys may only include letters, numbers, underscores, or hyphens