Token Claims Hook
The database hook that enriches every access token with identity, email, role and permission claims.
Hook function
public.custom_access_token_hook runs on every token mint.
Execution
Execute is granted only to supabase_auth_admin — never to clients.
Activation
Enable under Authentication → Hooks → Custom Access Token, pointing to the function above.
Claim mapping
| Claim | Source | Notes |
|---|---|---|
| cargo_account_number | profiles.cargo_account_number | Immutable account identifier. |
| username | profiles.username | Public handle, if claimed. |
| user_type | profiles.user_type | client / internal classification. |
| identity_type | profiles.identity_type | person / organization / service. |
| full_name | profiles.full_name | Display name. |
| login_email | user_emails (is_login) | Canonical sign-in email. |
| roles | user_roles | All assigned roles. |
| permissions | resolve_user_permissions() | Effective keys: roles + grants − revokes. |
Live claim preview
Pick an identity to see the exact claim payload the hook will emit into their JWT.
No user selected.