docs: add security note for custom claims in self-hosted deployments (#1378)

gao-sun · claude · web-flow · commit 1f099ef85762 · 2026-03-15T06:20:03.000Z
docs: add security note for custom JWT scripts in self-hosted deployments

Co-authored-by: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/docs/developers/custom-token-claims/README.mdx b/docs/developers/custom-token-claims/README.mdx
@@ -47,8 +47,12 @@ sequenceDiagram
   end
 ```
 
+:::info
+Logto built-in token claims cannot be overridden or modified. Custom claims will be added to the token as additional claims. If any custom claims conflict with the built-in claims, those custom claims will be ignored.
+:::
+
 :::warning
-Logto build-in token claims can NOT be overridden or modified. Custom claims will be added to the token as additional claims. If any custom claims conflict with the built-in claims, those custom claims will be ignored.
+Security note: In self-hosted deployments, custom JWT scripts are executed with the same privileges as the Logto server process. This feature is intended for trusted administrators only. Do not allow untrusted or lower-privilege users to create, modify, or test these scripts.
 :::
 
 ## Related resources \{#related-resources}
