ArticlesQuickstartsAuth0 APIsSDKs
Contact sales Log in
Actions Triggers: post-login - API Object
Contact sales Log in
Customize

Actions Triggers: post-login - API Object

The API object for the post-login Actions trigger includes:

api.access

Modify the user's login access, such as rejecting the login attempt.

api.access.deny(reason)

Mark the current login attempt as denied. This will prevent the end-user from completing the login flow. This will NOT cancel other user-related side effects (such as metadata changes) requested by this Action. The login flow will immediately stop following the completion of this action and no further Actions will be executed.

Returns a reference to the api object.

Parameter Description
reason

String. A human-readable explanation for rejecting the login. This may be presented directly in end-user interfaces.

api.accessToken

Request changes to the access token being issued.

api.accessToken.setCustomClaim(name, value)

Set a custom claim on the Access Token that will be issued upon completion of the login flow.

Returns a reference to the api object.

Parameter Description
name

String. Name of the claim (note that this may need to be a fully-qualified URL).

value

Any value. The value of the claim.

api.authentication

Request changes to the authentication state of the current user's session.

api.authentication.recordMethod(provider_url)

Indicate that a custom authentication method has been completed in the current session. This method will then be available in the `event.authentication.methods` array in subsequent logins.

Important: This API is only available from within the onContinuePostLogin function for PostLogin Actions. In other words, this may be used to record the completion of a custom authentication method after redirecting the user via api.redirect.sendUserTo().

Returns a reference to the api object.

Parameter Description
provider_url

String. A url representing the identity of the custom authenticated method that was completed.

api.cache

Store and retrieve data that persists across executions.

api.cache.delete(key)

Delete a record describing a cached value at the supplied key if it exists.

Returns a CacheWriteResult object with type: "success" if a value was removed from the cache. A failed operation returns type: "error". For errors, the returned object will have a code property that indicates the nature of the failure.

Parameter Description
key

String. The key of the record stored in the cache.

api.cache.get(key)

Retrieve a record describing a cached value at the supplied key, if it exists. If a record is found, the cached value can be found at the value property of the returned object.

Returns a cache record if an item is found in the cache for the supplied key. Cache records are objects with a value property holding the cached value as well as an expires_at property indicating the maximum expiry of the record in milliseconds since the Unix epoch.

Important: This cache is designed for short-lived, ephemeral data. Items may not be available in later transactions even if they are within their supplied their lifetime.

Parameter Description
key

String. The key of the record stored in the cache.

api.cache.set(key, value, [options])

Store or update a string value in the cache at the specified key.

Values stored in this cache are scoped to the Trigger in which they are set. They are subject to the Actions Cache Limits.

Values stored in this way will have lifetimes of up to the specified ttl or expires_at values. If no lifetime is specified, a default of lifetime of 15 minutes will be used. Lifetimes may not exceed the maximum duration listed at Actions Cache Limits.

Parameter Description
key

String. The key of the record stored in the cache.
value

String. The value of the record to be stored.
options

Optional object. Options for adjusting cache behavior.
options.expires_at

Optional number. The absolute expiry time in milliseconds since the unix epoch. While cached records may be evicted earlier, they will never remain beyond the the supplied expires_at.

Note: This value should not be supplied if a value was also provided for ttl. If both options are supplied, the earlier expiry of the two will be used.

options.ttl

Optional number. The time-to-live value of this cache entry in milliseconds. While cached values may be evicted earlier, they will never remain beyond the the supplied ttl.

Note: This value should not be supplied if a value was also provided for expires_at. If both options are supplied, the earlier expiry of the two will be used.

api.idToken

Request changes to the ID token being issued.

api.idToken.setCustomClaim(name, value)

Set a custom claim on the ID token that will be issued upon completion of the login flow.

Returns a reference to the api object.

Parameter Description
name

String. Name of the claim (note that this may need to be a fully-qualified URL).

value

Any value. The value of the claim.

api.multifactor

Set the requirement for multifactor authentication on the login attempt.

api.multifactor.enable(provider, options)

Enable multifactor authentication for this login flow. When enabled, users must complete the configured multifactor challenge. The actual multifactor challenge will be deferred to the end of the login flow.

Returns a reference to the api object.

Parameter Description
provider

String. The name of the multifactor provider to use or the value any to use any of the configured providers.

Supported values include:

  • any Use any of the configured challenges.
  • duo Use the Duo multifactor provider.
  • google-authenticator Use the Google Authenticator provider.
  • guardian Use the Guardian provider.
options

Optional object. Additional options for enabling multifactor challenges.

options.allowRememberBrowser

Optional boolean. Determines if browser should be remembered, so that the multifactor challenge can later be skipped. Defaults to false.

options.providerOptions

Optional object. Additional options to configure the challenge, only available for the duo provider.

Supported options include:

  • host String. This is the API hostname value from your Duo account.
  • ikey String. This is the Client ID (previously Integration key) value from your Duo account.
  • skey String. This is the Client secret (previously Secret key) value from your Duo account.
  • username Optional string. Use some attribute of the profile as the username in DuoSecurity. This is also useful if you already have your users enrolled in Duo.

api.user

Make application-specific changes to the metadata of the user that is logging in.

NOTE: Invoking these methods won't update the metadata immediately. You can call them several times throughout multiple actions of the same flow and the engine will aggregate the changes and update the metadata at once before the flow is completed.

api.user.setAppMetadata(name, value)

Set application metadata for the user that is logging in. Data stored within app_metadata is not visible or editable by the user.

Returns a reference to the api object.

Parameter Description
name

String. The name of metadata property.
value

Any value. The value of the metadata property. This may be set to null to remove the metadata property.

api.user.setUserMetadata(name, value)

Set general metadata for the user that is logging in.

Returns a reference to the api object.

Parameter Description
name

String. The name of metadata property.
value

Any value. The value of the metadata property. This may be set to null to remove the metadata property.

api.redirect

api.redirect.encodeToken(options)

Create a session token suitable for using as a query string parameter redirect target (via sendUserTo) that contains data whose authenticity must be provable by the target endpoint. The target endpoint can verify the authenticity and integrity of the data by checking the JWT's signature using a shared secret.

Returns a JWT string.

Parameter Description
options

Options. Configure how sensitive data is encoded into the query parameters of the resulting url.

options.expiresInSeconds

Number. Number of seconds before this token will expire (defaults to 900).

options.payload

Options. The data intended to be passed to the target of the redirect and whose authenticity and integrity must be provable.

options.secret

String. A secret that will be used to sign a JWT that is shared with the redirect target. The secret value should be stored as a secret and retrieved using event.secrets['SECRET_NAME'].

api.redirect.sendUserTo(url, options)

Trigger a browser redirect to the target `url` immediately after this action completes.

Returns a reference to the api object.

Parameter Description
url

String. The url in which to redirect the user.
options

Options. An object representing additional query string parameters that should be appended to the redirect URL.

options.query

Options. Additional query string parameters that should be appended to the redirect URL.

api.redirect.validateToken(options)

Retrieve the data encoded in a JWT token passed to the /continue endpoint while verifying the authenticity and integrity of that data.

Returns payload of the JWT token.

Parameter Description
options

Options. Options for retrieving the data encoded in a JWT token passed to the /continue endpoint following a redirect.

options.secret

String. Secret used to encode the token.
options.tokenParameterName

String. The name of the query or body parameter that was sent to the /continue endpoint. (defaults to session_token

Was this article helpful?