> ## Documentation Index
> Fetch the complete documentation index at: https://docs-dev-actions-triggers-prototype.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

> Learn about Auth0 refresh token metadata

# Refresh Token Metadata

<Warning>
  Refresh Token Metadata is currently in Early Access for Enterprise customers only. By using this feature, you agree to the applicable Free Trial terms in Okta's [Master Subscription Agreement](https://www.okta.com/legal). To learn more about Auth0's product release cycle, read [Product Release Stages](https://auth0.com/docs/troubleshoot/product-lifecycle/product-release-stages).
</Warning>

Refresh token metadata allows the storage of customizable keys and values (maximum 255 characters each) in an Auth0 [refresh token](/docs/secure/tokens/refresh-tokens).

Use cases for refresh token metadata include:

* Track device information, such as device name or login location
* Store token-level flags, for example, `user_accepted_terms` or `session_type`
* Share state between multiple Actions in the same flow
* Drive conditional logic for token issuance or revocation
* Audit and analytics pipelines that need to be aware of user context data

You can access and modify refresh token metadata during a refresh token's lifecycle using Auth0 [Actions](/docs/customize/actions/explore-triggers/signup-and-login-triggers/login-trigger) and the [Management API](https://auth0.com/docs/api/management/v2).

To learn more, read [how to Configure Refresh Token Metadata](/docs/secure/tokens/refresh-tokens/refresh-token-metadata/configure-refresh-token-metadata).

## Supported flows

You can set refresh token metadata using Post-Login Actions with the following OAuth 2.0 flows:

* Authorization Code Flow
* Resource Owner Password Grant
* Device Authorization Grant
* Federated Connection Flows
* Client-Initiated Backchannel Authentication (CIBA)
* Native Passkeys
* Refresh Token Exchange

<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
  You can **set** refresh token metadata during any of the supported flows above. However, existing metadata is only **available to read** via the `event.refresh_token.metadata` object during [refresh token exchange](/docs/secure/tokens/refresh-tokens/use-refresh-tokens) scenarios where `event.refresh_token` exists. At the initial login, `event.refresh_token` does not exist, so you can only set metadata—not read it. During a refresh token exchange, you can both read existing metadata and set new values.
</Callout>

When executing a refresh token exchange, the metadata set in Actions is applied when the refresh token is issued, not during intermediate steps such as MFA challenges.

## Limitations

* Refresh token metadata is limited to 25 entries maximum
* Each key and value must be 255 characters or less
* Metadata keys may only include letters, numbers, underscores, or hyphens

## Learn more

* [Configure Refresh Token Metadata](/docs/secure/tokens/refresh-tokens/refresh-token-metadata/configure-refresh-token-metadata)
* [Refresh Tokens with Actions](/docs/secure/tokens/refresh-tokens/manage-refresh-tokens-actions)
* [Refresh Tokens](/docs/secure/tokens/refresh-tokens)