Stormpath Custom User Data

The most-requested feature has just been added to Stormpath. Custom user data is here.

“I want to add my own data to Accounts and Groups in Stormpath, so I can keep all my user data in one place and not have to build and manage user tables in my DB.”

You can now store any user data in Stormpath, associated either with an individual account or with a group in a new customData resource. customData has MANY applications, and broadly expands how you can use Stormpath. We will be outlining some cool How-Tos in the coming weeks and months, but here’s a quick preview:

With customData, Stormpath can now store…

  • User information, such as an address, attribute, or Credit Card*
  • A user’s or group’s subscription level or permissions
  • IDs for third party services such as Stripe, Facebook, or Google Authenticator

How It Works

Full documentation is here. customData is currently available to users of our REST API, and Java SDK. We will be expanding the functionality into the other SDKs soon.

The customData resource is a schema-less JSON-compatible object (aka ‘map’, ‘associative array’, or ‘dictionary’) that allows you to specify whatever name/value pairs you wish.

Each account or group resource can have up to 10MB of customData.

You can store anything you want in this map without restriction – Stormpath doesn’t interpret, inspect or perform any logic against this data.


In order to allow for Search functionality, Stormpath does not encrypt customData(or any other data except passwords), so if you want to store anything you consider sensitive information, such as a credit card or social security number, you must encrypt it before POSTing it to the Stormpath API. We recommend you use a strong encryption cipher, such as AES-256-CBC with a secure random Initialization Vector.

All customData will be stored as a JSON-object, so you will need to Base-64 encode any binary data, such as encrypted data, before sending it to Stormpath.

Why It Matters

customData is a powerful tool that broadly expands what developers can do in Stormpath. You no longer need to maintain a user table in your application, which significantly reduces complexity and maintenance. From fine-grained permissions to SCIM, the applications are many. You can even store custom security questions or IDs for third-party services.

Our goals for customData are straightforward:

  • Make Stormpath more than just a credential store. customData can help replace DB-based user tables if you wish.
  • Reduce the data modeling burden around groups and roles.
  • Allow developers to hang user permissions and profiles off an account and/or group, making security policies, subscriptions, and user types easier to manage.
  • Lay the groundwork for other account-specific profile data we’re working on.


Please try it out and share your feedback. This is the beta release of a big new feature, so we rely on you to tell us how to improve and expand. There are lots of options:

  • Hit us up in chat on
  • Email [email protected]
  • We also respond on Twitter @goStormpath

About Stormpath

Stormpath is a User Management API that reduces development time with instant-on, scalable user infrastructure. Stormpath’s intuitive API and expert support make it easy for developers to authenticate, manage, and secure users and roles in any application.