Do's and Dont's - Stormpath Custom Data

Stormpath customData is a powerful way to store almost any data related to a user. It vastly expands integration to third party services and abolishes the need for user tables. (Read the docs) But with great power comes great responsibility. Here are some important considerations when storing custom user data in Stormpath.

Let’s start with the Don’ts, as they are the most important:


…Sensitive user data you have not encrypted.

Custom Data is stored in the data store unencrypted to support search functionality at a later date. Any sensitive customData should be encrypted using a strong encryption cipher, such as AES-256-CBC with a secure random Initialization Vector.

Always encrypt data your customers would consider sensitive, such as credit cards and social security numbers.

…Large quantities of binary data.

Each customData resource is restricted to 10MB in size. Large customData payloads will also be less efficient; if you need help with data model design, let us know. We are happy to help.

…Data that isn’t valid JSON.

Getting data into Stormpath requires that it be formatted as JSON, so all customData needs to be a valid name value pairs. The values can themselves be complex JSON objects as well. Binary data must be base-64 encoded as JSON cannot represent binary directly.


…Anything you would store in a user table.

Stormpath customData can store any JSON name-value pair, so what you store there is limited only to your imagination and the 10MB limit.

…IDs for 3rd party services.

Stripe. Google Authenticator. SendGrid. Part of the reason we are launching customData as a generic data map, is to remove all restrictions on what services you can integrate with Stormpath.

…Shared secrets.

Want users to set their own security questions for an added level of security? You can do that with custom data. Just be sure to encrypt it first!

…And lots more!

We will be posting lots of Guides for different ways to use customData. We’d love to hear your ideas!


Please try it out and share your feedback. This is the beta release of a big new feature, so we rely on you to tell us how to improve and expand. There are lots of options:

  • Hit us up in chat on
  • Email [email protected]
  • We also respond on Twitter @goStormpath

About Stormpath

Stormpath is a User Management API that reduces development time with instant-on, scalable user infrastructure. Stormpath’s intuitive API and expert support make it easy for developers to authenticate, manage, and secure users and roles in any application.