Actions
Actions let you run custom JavaScript or TypeScript code at specific trigger points in the authentication flow. Use actions to add custom claims to tokens, log events to external services, or enrich user profiles after login.
Actions run in a secure Deno sandbox with network access, a 5-second time limit, and no access to the file system or environment variables of the Paylent server.
Triggers
Section titled “Triggers”Each environment supports one action per trigger. Two triggers are available:
Pre-Token
Section titled “Pre-Token”Runs synchronously before an access token is issued. Your code receives the token claims, user, and environment context. Return modified claims to customize the token.
Use cases:
- Add custom claims based on user metadata or role
- Set audience or scope dynamically
- Include organization context in the token
export default async function(event) { const { claims, user, environment } = event;
// Add a custom claim claims["https://myapp.com/role"] = "premium";
// Add organization info if available if (user.organization_id) { claims["org_id"] = user.organization_id; }
return { claims };}If the action throws an error or times out, the original claims are used unchanged (fail-open).
Post-Login
Section titled “Post-Login”Runs asynchronously after a user successfully logs in. Your code receives the user, environment, and login context (IP address, user agent, timestamp). The return value is ignored.
Use cases:
- Send a welcome message for first-time users
- Log the login event to an external analytics service
- Sync user data to a CRM
export default async function(event) { const { user, environment, login } = event;
// Notify an external service await fetch("https://myapp.example.com/api/user-login", { method: "POST", headers: { "Content-Type": "application/json" }, body: JSON.stringify({ user_id: user.id, email: user.email, ip: login.ip_address, timestamp: login.timestamp, }), });}Post-login actions are fire-and-forget — errors do not affect the login flow.
Creating an Action
Section titled “Creating an Action”Via the Dashboard
Section titled “Via the Dashboard”Navigate to Actions in the sidebar. Click Create Action, select a trigger, and write your code in the built-in editor.
Via the Management API
Section titled “Via the Management API”curl -X POST https://acme-test.paylent.com/api/actions \ -H "Authorization: Bearer ACCESS_TOKEN" \ -H "Content-Type: application/vnd.api+json" \ -d '{ "data": { "type": "action", "attributes": { "name": "Add custom claims", "trigger": "pre_token", "code": "export default async function(event) {\n const { claims } = event;\n claims[\"custom\"] = \"value\";\n return { claims };\n}", "enabled": true } } }'Event Context
Section titled “Event Context”Pre-Token Event
Section titled “Pre-Token Event”| Field | Type | Description |
|---|---|---|
claims | object | The JWT claims that will be included in the token |
user | object | The authenticated user (id, email, first_name, last_name) |
environment | object | The current environment context |
Post-Login Event
Section titled “Post-Login Event”| Field | Type | Description |
|---|---|---|
user | object | The user who just logged in |
environment | object | The current environment context |
login.ip_address | string | The client’s IP address |
login.user_agent | string | The client’s user agent string |
login.timestamp | string | ISO 8601 timestamp of the login |
Limits
Section titled “Limits”| Limit | Value |
|---|---|
| Code size | 64 KB |
| Execution time | 5 seconds |
| Actions per trigger | 1 |
| Network access | Allowed (outbound HTTP) |
| File system access | None |
Enabling and Disabling
Section titled “Enabling and Disabling”Actions can be toggled on and off without deleting them. A disabled action is skipped entirely — it does not count against the one-action-per-trigger limit.
curl -X PATCH https://acme-test.paylent.com/api/actions/ACTION_ID \ -H "Authorization: Bearer ACCESS_TOKEN" \ -H "Content-Type: application/vnd.api+json" \ -d '{ "data": { "type": "action", "id": "ACTION_ID", "attributes": { "enabled": false } } }'