Hey,
I wanted to know if the data under the user auth is considered secure, and if it comes under the access token so users can’t manipulate it.
All of the data you have in the user object are not sensitive in terms of exploitation of your whole app. Meaning that no one, unless they steal the user object data from a Super Admin user (if you have any) can abuse this info to do any harm on the application level. They can can only abuse the part that is accessible to the user in question who gets their identity stolen. This is more of a user problem than an app problem, meaning that you can consider this a non threat and should educate your users so that they don’t get impersonated in your app. Users can manipulate it, but they can’t forge it.