To create an access token with custom claims based on an API call with the user email, you can follow these steps: 1. First, you need to make an API call to get the user's email. This could be done through a social sign-in provider like Auth0 or GitLab, as described in the [Auth0](https://www.ory.sh/docs/kratos/social-signin/auth0) and [GitLab](https://www.ory.sh/docs/kratos/social-signin/gitlab) documentation. Ory makes a request to the provider's API and adds the user info to

std.extVar('claims')

. 2. Once you have the user's email, you can add it as a custom claim to the access token during consent acceptance. Here's an example of how to do this:

javascript import { Configuration, OAuth2Api } from "@ory/client"  const ory = new OAuth2Api(  new Configuration({  basePath: `https://${process.env.ORY_PROJECT_SLUG}.<http://projects.oryapis.com|projects.oryapis.com>`,  accessToken: process.env.ORY_API_KEY,  }), )  export async function acceptConsent(consentChallenge: string) {  const { data } = await ory.getOAuth2ConsentRequest({ consentChallenge })   return await ory  .acceptOAuth2ConsentRequest({  consentChallenge: consentChallenge,  acceptOAuth2ConsentRequest: {  session: {  access_token: {  user_email: "user's email",  },  id_token: {  id_custom_claim: "some_value",  },  },  },  })  .then(({ data }) => data) }

This code is based on the example provided in the [Ory documentation](https://www.ory.sh/docs/oauth2-oidc/jwt-access-token). Replace

"user's email"

with the actual email you obtained from the API call. 3. If you want the custom claim to be added to the top level in the access token, you need to modify the

/oauth2/allowed_top_level_claims

configuration:

bash ory patch oauth2-config {project.id} \  --replace "/oauth2/allowed_top_level_claims=[\"user_email\"]"

This command is also based on the example provided in the [Ory documentation](https://www.ory.sh/docs/oauth2-oidc/jwt-access-token). Please note that the actual implementation may vary depending on your specific use case and setup.