> ## Documentation Index > Fetch the complete documentation index at: https://stytch.com/docs/llms.txt > Use this file to discover all available pages before exploring further. # Implement RBAC with metadata (legacy) > Use trusted metadata to store roles when you can’t adopt native RBAC yet. This legacy approach uses `trusted_metadata` on the User object to store role information and enforce authorization in your application. For new integrations, use native [RBAC policies](/consumer-auth/authorization/create-rbac-policy) instead. This guide is provided for backward compatibility. Native RBAC provides a dedicated policy model, Dashboard management, and SDK support. Decide on the roles your application needs (for example `admin`, `editor`, `viewer`) and what actions each role should allow. Use `trusted_metadata` to store roles when creating or updating a User. Only your backend can write trusted metadata. ```curl theme={null} curl --request POST \ --url https://test.stytch.com/v1/users \ -u 'PROJECT_ID:SECRET' \ -H 'Content-Type: application/json' \ -d '{ "email": "user@example.com", "trusted_metadata": { "roles": ["admin"] } }' ``` After authenticating a session, fetch the User and read roles from `trusted_metadata`. ```js theme={null} const stytch = require('stytch'); const client = new stytch.Client({ project_id: 'PROJECT_ID', secret: 'SECRET', }); const sessionResp = await client.sessions.authenticate({ session_token: 'SESSION_TOKEN', }); const userResp = await client.users.get({ user_id: sessionResp.user_id, }); const roles = userResp.trusted_metadata?.roles || []; ``` Use the roles stored in `trusted_metadata` to decide whether to honor requests. ```js theme={null} if (!roles.includes('admin')) { return res.status(403).send('unauthorized'); } ``` ## What's next * [Create an RBAC policy](/consumer-auth/authorization/create-rbac-policy) * [Assign roles to users](/consumer-auth/authorization/assigning-roles-to-users)