Summary
The behavior of custom claims returned by the PRE_SESSION_CREATION (pre-session) interceptor is under-documented, which led a developer to believe claim injection was broken when it was actually working as designed. The docs should state the full, current behavior explicitly.
Behavior to document
- No registration required. Custom claims returned in the interceptor response are automatically included in the access token under the
custom_claims key. No "custom attribute" dashboard configuration is needed.
- Supported auth methods. The pre-session interceptor fires for all auth methods: passwordless, SSO, OAuth, SAML, and passkeys.
- When it fires. The interceptor runs on every new session creation and on organization switch within an existing session.
- Organization switch. Claims returned during an organization switch are now injected into the access token as well (recently shipped). Document this so developers can rely on org-specific roles and claims being refreshed on switch.
- Persistence. Claims set at session creation persist for the session, so every access token issued for that session includes them.
Proposed work
Source
Surfaced through developer support. No code change is required for the core behavior; this tracks the documentation clarification.
Summary
The behavior of custom claims returned by the
PRE_SESSION_CREATION(pre-session) interceptor is under-documented, which led a developer to believe claim injection was broken when it was actually working as designed. The docs should state the full, current behavior explicitly.Behavior to document
custom_claimskey. No "custom attribute" dashboard configuration is needed.Proposed work
custom_claimsshape and the organization-switch behavior.custom_claimspopulated.Source
Surfaced through developer support. No code change is required for the core behavior; this tracks the documentation clarification.