Auth0
Sync user profiles to Auth0 via the Management API. Zeotap creates and updates user records in your Auth0 tenant, keeping identity data in sync with your warehouse.
Prerequisites
- An Auth0 account with a tenant configured
- A Machine-to-Machine (M2M) application registered in Auth0
- The M2M application must be authorized to access the Auth0 Management API with the following scopes:
read:userscreate:usersupdate:users
- A database connection configured in your Auth0 tenant (e.g.,
Username-Password-Authentication)
Authentication
Auth0 uses Client Credentials authentication via a Machine-to-Machine application.
- In the Auth0 Dashboard, navigate to Applications > Applications
- Click Create Application and select Machine to Machine Applications
- Name the application (e.g., “Zeotap Integration”)
- Select Auth0 Management API as the authorized API
- Grant the following scopes:
read:users,create:users,update:users - Click Authorize
- Copy the Client ID and Client Secret from the application’s Settings tab
- Paste them into the corresponding fields in Zeotap
Configuration
| Field | Type | Required | Description |
|---|---|---|---|
| Auth0 Domain | Text | Yes | Your Auth0 tenant domain (e.g., my-tenant.us.auth0.com) |
| Connection | Text | No | The Auth0 database connection name for user creation. Required when syncing users (e.g., Username-Password-Authentication) |
Target Settings
| Field | Type | Required | Description |
|---|---|---|---|
| Object Type | Select | Yes | The Auth0 object to sync data to. Currently supports: Users |
Supported Operations
Sync Modes
| Mode | Supported |
|---|---|
| Upsert | Yes |
| Insert | Yes |
| Update | Yes |
| Mirror | — |
Audience Sync Modes
Auth0 does not have a list or segment membership concept, so audience sync modes are not supported.
Features
- Field Mapping: Yes
- Schema Introspection: No
Required Mapping Fields
| Field | Description |
|---|---|
| User email address. Used as the identifier for upsert and update operations |
Default Destination Fields
| Field | Type |
|---|---|
email | string |
name | string |
given_name | string |
family_name | string |
nickname | string |
picture | string |
user_metadata | json |
app_metadata | json |
How It Works
- Zeotap reads user data from your warehouse model or audience
- For each row, it extracts the email address and mapped fields
- Depending on the sync mode:
- Insert: Creates a new user via
POST /api/v2/userswith the configured connection - Update: Looks up the user by email via
GET /api/v2/users-by-email, then updates viaPATCH /api/v2/users/{id} - Upsert: Attempts to find the user by email first. If found, updates the user. If not found, creates a new user
- Insert: Creates a new user via
- Known Auth0 fields (
email,name,given_name,family_name,nickname,picture,user_metadata,app_metadata, etc.) are sent as top-level properties - Any additional fields not recognized as Auth0 standard fields are automatically placed into
user_metadata
Each user is synced individually because the Auth0 Management API does not provide a batch create/update endpoint.
Rate Limits
Auth0 Management API rate limits depend on your subscription tier:
| Tier | Rate Limit |
|---|---|
| Free / Developer | 2 requests per second (burst up to 10) |
| Paid (Essential, Professional, Enterprise) | 15 requests per second (burst up to 50) |
Zeotap processes rows sequentially and automatically retries on 429 Too Many Requests responses with exponential backoff. Rate limit headers (X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset) are respected.
Best Practices
- Use Upsert mode for most use cases — it handles both new and existing users gracefully
- Grant only the minimum required scopes to your M2M application (
read:users,create:users,update:users) - Use
user_metadatafor user-facing profile data andapp_metadatafor internal application data - Avoid syncing passwords through Zeotap — Auth0 has specific password hashing requirements
- For large user bases, schedule syncs during off-peak hours to minimize rate limit impact
- Use the Connection field to target the correct database connection in multi-connection tenants
Troubleshooting
Authentication failed: verify client_id and client_secret
Ensure the M2M application’s Client ID and Client Secret are correct. In the Auth0 Dashboard, navigate to Applications > Applications, select your M2M app, and verify the credentials on the Settings tab.
Management API access denied
The M2M application must be explicitly authorized to access the Auth0 Management API. Navigate to Applications > APIs > Auth0 Management API > Machine to Machine Applications, find your application, and ensure the required scopes (read:users, create:users, update:users) are granted.
User creation fails with 409 Conflict
This occurs in Insert mode when a user with the same email already exists in the specified connection. Switch to Upsert mode to update existing users instead of failing.
User not found during update
In Update mode, the user must already exist in Auth0. If the user was created with a different email or in a different connection, the lookup may fail. Verify the email mapping is correct and consider using Upsert mode instead.
Rate limit exceeded
Auth0 enforces strict rate limits on the Management API. If you consistently hit rate limits, consider reducing the frequency of your syncs or upgrading your Auth0 plan. Zeotap automatically retries rate-limited requests with exponential backoff.
Fields not appearing on user profiles
Only recognized Auth0 user fields are set as top-level properties. Custom fields are automatically placed into user_metadata. To verify, check the user’s profile in the Auth0 Dashboard under User Management > Users and expand the user_metadata section.
Wrong connection specified
If users are being created in the wrong database connection, verify the Connection field in your Zeotap destination configuration matches the exact connection name shown in Authentication > Database in the Auth0 Dashboard. Connection names are case-sensitive.
Token expiry during long syncs
Management API access tokens obtained via client credentials are valid for 24 hours by default. Zeotap automatically refreshes the token before it expires. If you see intermittent authentication errors during very long syncs, verify your M2M application has not been disabled or its credentials rotated.