> ## Documentation Index
> Fetch the complete documentation index at: https://docs-staging-actions-triggers-prototype.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

> Learn about the limitations involved with using Auth0 Actions.

# Actions Limitations

The following limitations exist when using Actions:

<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
  Learn more about Entity Limits, read: [Actions Entity Limits](/docs/troubleshoot/customer-support/operational-policies/entity-limit-policy#actions).
</Callout>

## Actions

* Each Action should not exceed 100 kB. The larger the size, the more latency is introduced, which may have an impact on the performance of your system. This size limit does not include any `npm` modules that may be referenced as part of any `require` statements.

## Actions Modules

* Each Action Module can have dependencies to NPM Modules, but not to other Actions Modules.
* **Actions Modules do not have their own runtime.** They run in the runtime of the Action that includes them.

<Warning>
  **When you build an Action Module, Auth0 builds it with the builder runtime. However, when the module is executed, it uses the runtime of the Action that imports it.**

  *Example:*

  *If your Action Module uses Node.js API calls that are deprecated in Node.js 22, Actions using Node.js 18 runtime will work fine, but Actions using Node.js 22 runtime will fail.*
</Warning>

<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
  Write Actions Modules using Node.js APIs that are compatible with all runtime versions you plan to support.
</Callout>

## Account Linking (setPrimaryUser)

* `primary_user_id` is limited to 128 characters
* `setPrimaryUser` can be called once per transaction
* Any userMetadata set in the same Action as `setPrimaryUser` is discarded and will be lost. Subsequent Actions within the same transaction will retain userMetadata on the new primary user.
* `setPrimaryUser` can not be used in the same transaction where a Rule sets `context.primaryUser.`

## Cached data

* Cached items persist for a maximum of 24 hours.
* A maximum of 20 entries can be cached per Trigger.
* Cache keys have a maximum size of 64 bytes and values have a maximum size of 4kB.
* The cumulative size of cached keys and their values must not exceed 8kB.
* The cache should be available for all Actions in the same trigger for a single execution reliably, however for subsequent executions (such as a different flow, another user login, or a user returning from a redirect action) it is not guaranteed.
* Actions that perform an Execution that yields back (such as a redirect) may result in subsequent actions being scheduled on a separate instance with a different cache state. Cached data could be inconsistent from one Action to the next even if it is the same execution.

## Executions

* Each execution of a trigger must complete in 20 seconds or less or the processing will end in an error. Limiting HTTP requests is the best way to keep within this time limit.
* Each execution of a trigger must complete in 20 seconds or less or the processing will end in an error. Limiting long-running processes, like outbound HTTP requests without a timeout, is necessary to keep within this time limit. An Action that [redirects users to an external page](/docs/customize/actions/explore-triggers/signup-and-login-triggers/login-trigger/redirect-with-actions) has a separate timeout before the redirect and after.
* A new `event.request` object is issued anytime an Action trigger is suspended and then subsequently resumed (for example, due to a redirect or <Tooltip tip="Management API: A product to allow customers to perform administrative tasks." cta="View Glossary" href="/docs/glossary?term=MFA">MFA</Tooltip> challenge).

## Logs

* A maximum of 256 characters may be persistently stored for `console.log()` outputs for each Action.
* Execution logs are retained for 10 days.

## Programming languages

* We do not support Typescript in actions. Source files must be written in JavaScript before being deployed.

## Secrets

* Each secret key may have a maximum length of 128 characters.
* Each secret value may have a maximum length of 4096 characters.

## SAML attributes

* A maximum of 100 <Tooltip tip="Multi-factor authentication (MFA): User authentication process that uses a factor in addition to username and password such as a code via SMS." cta="View Glossary" href="/docs/glossary?term=SAML">SAML</Tooltip> attributes can be changed or added by Actions.
* SAML attribute names have a maximum size of 1kB.
* SAML values have a maximum size of 2kB.
* The total SAML assertions have a maximum size of 10kB.

## SAML configuration

* `audience` has a maximum size of 2kB
* `recipient` has a maximum size of 2kB
* `destination` has a maximum size of 2kB
* `nameIdentifierFormat` has a maximum size of 0.5kB
* `nameIdentifierProbes` has a maximum of 10 probes with a maximum size of 0.5kB each
* `authnContextClassRef` has a maximum size of 0.5kB
* `signingCert` has a maximum size of 4kB
* `encryptionCert` has a maximum size of 4kB
* `encryptionPublicKey` has a maximum size of 4kB
* `cert` has a maximum size of 4kB
* `key` has a maximum size of 4kB

## Service requests

* Calls made to the Auth0 <Tooltip tip="Security Assertion Markup Language (SAML): Standardized protocol allowing two parties to exchange authentication information without a password." cta="View Glossary" href="/docs/glossary?term=Management+API">Management API</Tooltip> and User Metadata updates are [rate limited](/docs/troubleshoot/customer-support/operational-policies/rate-limit-policy/management-api-endpoint-rate-limits).
* HTTP calls to external services originate from [these IP addresses](/docs/secure/security-guidance/data-security/allowlist).

## Transaction metadata

* Is available only on [post-login Actions](/docs/customize/actions/explore-triggers/signup-and-login-triggers/login-trigger).
* Is not persisted beyond the completion of an authentication trigger.
* Cannot be accessed outside of the Actions within the same transaction.
* Keys are limited to 64 characters.
* Values are limited to 8 KB.
* Values only support `string`, `number`, and `boolean` types.
* Has a maximum total metadata size of 16 KB within the same transaction.
* Will not accept numbers that fail a safety check as valid values. Unsafe integer values should be safely serialized by the Developer. To learn more, read about [safe integers](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Number/isSafeInteger).

## Upstream tokens from external IdPs

* Retrieving External <Tooltip tip="Identity Provider (IdP): Service that stores and manages digital identities." cta="View Glossary" href="/docs/glossary?term=IdP">IdP</Tooltip> tokens from the Identities array

## User metadata and app metadata

* Each session may have a maximum of 32kB each of user metadata persistence and 32kB of app metadata persistence.

## Learn more

* [Understand How Auth0 Actions Work](/docs/customize/actions/actions-overview)