Auth0 impersonation deprecated.. What should I use instead?

I think you can achieve this without passing the user ID in API call as it not secure to do so.

If your admin wants to view website as your client. And if you want user ID for fetching the user data.Then you can add user ID in field called metadata provided by auth0.And add the metadata field in access token using rules.

So basically you would get the user ID from your access token only as you do in general case.

Now in your controller check, whether the access token has user ID, if you find any,use that ID to get other data.

Following this approach you do not need to pass any additional data and everything would be handled using access token only.

For more secured approach, in controller along with above mentioned check, you can check for the role also to verify that it has admin role.

for adding the rule in auth0,Here is the code that you need to use:

function (user, context, callback) {// The currently requested scopes can be accessed as follows:// context.request.query.scope.match(/\S+/g)//add the following line in this function additionally.context.accessToken['metadata'] = user.user_metadata;callback(null, user, context);}

Impersonation usually works with non-sensitive data. You could for example take the public username or an email address along with the admin user's session to create an impersonated session. Your API can take the request from there verifying the permission of the aadmin-user-session-key, validate the impersonatable-username and finally return a new impersonated session.Example request:

{   session: '<admin-user-session-key>',   username: '<impersonatable-username>'}