User Metadata Security Best Practices

Metadata fields store additional information for Sendbird users, allowing customers to save custom data for their users. This section outlines metadata features and provides guidelines for using it securely.

User metadata can be used to store additional information for each user. This information is exposed when the user is searched for, such as during user searches, receiving chat messages, or querying channel information.

To view the image in full screen, click on the

Even if metadata is not displayed by the application, the Sendbird server always returns it when a user is searched for. Since user metadata can be exposed to others, avoid storing personal information (PII) or sensitive information that should not be shared. Before saving such data, always verify whether it should be exposed.

A common mistake customers make is storing a user’s email, contact details, or actions in metadata and retrieving them through platform APIs. Avoid storing sensitive data such as real names and authentication information at all times.

Because metadata can be directly updated by users, it should not be fully trusted. To prevent unauthorized changes, you can disable the User Metadata Update ACL.

The User Metadata Update ACL allows users to modify their nickname and metadata. It is enabled by default when you create an app, so if this is not desired, make sure to turn it off.