> ## Documentation Index
> Fetch the complete documentation index at: https://auth0.com/llms.txt
> Use this file to discover all available pages before exploring further.

> Learn how to use the post-login Action trigger to modify user_metadata and app_metadata as part of a user’s login flow.

# Manage User Metadata with the post-login Action Trigger

Auth0 provides a rich system for storing [metadata](/docs/manage-users/user-accounts/metadata) on the Auth0 user profile. You can configure a `post-login` trigger to modify `user_metadata` and `app_metadata` as part of a user’s login flow. Post-login triggers are useful for tasks such as storing application-specific data on the user profile, capturing user operation logs, mapping <Tooltip tip="Security Assertion Markup Language (SAML): Standardized protocol allowing two parties to exchange authentication information without a password." cta="View Glossary" href="/docs/glossary?term=SAML">SAML</Tooltip> attributes to the metadata field, or caching expensive operation values on the User profile for re-used in future logins.

The `post-login` `api` object provides common operations that can be performed in this trigger. To manage user metadata, we want to use the `api.user.setAppMetadata` and `api.user.setUserMetadata` methods. For example, to guard against some behavior running more than once for a specific user, consider an Action that looks like this:

```js lines theme={null}
exports.onExecutePostLogin = async (event, api) => {
  if (event.user.app_metadata.didAnExpensiveTask) {
    console.log(`Skipping the expensive task because it already occurred for ${event.user.email}.`);
    return;
  }
  // do and expensive task
  api.user.setAppMetadata("didAnExpensiveTask", true);
};
```

Here, we added a check at the start of the Action to see if we have already performed the expensive task for this user. If the metadata field exists, then we return from the function.

At the end of the Action, we call `api.user.setAppMetadata` to signal that we would like to store some metadata on the user object. At the end of each trigger’s execution, Actions will update the user profile as a single operation. If several calls are made to `setUserMetadata` actions, even if they are made in different actions as part of the same flow, Actions will only update the user profile a single time--at the end of the trigger’s execution.

<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
  Multiple `setUserMetadata` or `setAppMetadata` calls will be batched together into a single user profile update at the end of the trigger’s execution, even if they are made by different Actions.
</Callout>

## Best practices

Beware of storing too much data in the Auth0 profile. This data is intended to be used for authentication and authorization purposes, and users can edit their own `user_metadata` field, so don't store sensitive data in it. The metadata and search capabilities of Auth0 are not designed for marketing research or anything else that requires heavy search or update frequency. Your system is likely to run into scalability and performance issues if you use Auth0 for this purpose. A better approach is to store data in an external system and store a pointer (the user ID) in Auth0 so that backend systems can fetch the data if needed.

## Rate limits

<Warning>
  Setting user and app metadata is subject to your tenant’s rate limits and may affect login throughput.
</Warning>

Even though a single call is made to update the user profile, that operation is still subject to your tenant’s "Write User" [rate limits](/docs/troubleshoot/customer-support/operational-policies/rate-limit-policy/management-api-endpoint-rate-limits). If the Rate Limit is hit when attempting to update metadata, Actions will retry the request as long as a `429` HTTP status code is returned. The delay between retries is governed by the value of the `X-RateLimit-Reset` header returned as part of the `429` response.

## Redirects

In the event of a Redirect invoked with `api.redirect.sendUserTo()`, any pending user or app metadata updates will be applied to the user profile before the user is redirected to the external site. To learn more, see [Redirecting With Actions](/docs/customize/actions/explore-triggers/signup-and-login-triggers/login-trigger/redirect-with-actions).

## Learn more

* [Redirect with Actions](/docs/customize/actions/explore-triggers/signup-and-login-triggers/login-trigger/redirect-with-actions)