Refresh tokens now carry custom metadata; Management API support

We're excited to announce that Refresh Token Metadata is now Generally Available for Enterprise customers.

Refresh Token Metadata allows you to attach custom key-value pairs to refresh tokens, enabling richer context storage and more personalized authentication experiences.

What's included in the feature

Store Custom Data on Refresh Tokens

You can now attach up to 25 custom key-value pairs to each refresh token. This metadata persists throughout the token's lifecycle and can be accessed or modified via the Management API.

// In Post-Login Action
exports.onExecutePostLogin = async (event, api) => {
  api.refreshToken.setMetadata('deviceName', event.request.user_agent);
  api.refreshToken.setMetadata('loginRegion', event.request.geoip?.countryCode);
  api.refreshToken.setMetadata('orgContext', event.organization?.id);
};

Management API Support

Access and manage refresh token metadata programmatically:

• GET /api/v2/refresh-tokens/{id} - Retrieve token with metadata
• PATCH /api/v2/refresh-tokens/{id} - Update token metadata
• DELETE /api/v2/refresh-tokens/{id} - Revoke token

Learn more about Refresh Token Metadata in our documentation and our blog