adobe · purplecabbage · Nov 10, 2025 · Oct 24, 2025 · Oct 24, 2025 · Oct 24, 2025
diff --git a/src/commands/app/deploy.js b/src/commands/app/deploy.js
@@ -26,7 +26,7 @@ const {
 const rtLib = require('@adobe/aio-lib-runtime')
 const LogForwarding = require('../../lib/log-forwarding')
 const { sendAppAssetsDeployedAuditLog, sendAppDeployAuditLog } = require('../../lib/audit-logger')
-const { setRuntimeApiHostAndAuthHandler, getAccessToken } = require('../../lib/auth-helper')
+const { setRuntimeApiHostAndAuthHandler, getAccessToken, getTokenData } = require('../../lib/auth-helper')
 const logActions = require('../../lib/log-actions')
 
 const PRE_DEPLOY_EVENT_REG = 'pre-deploy-event-reg'
@@ -68,6 +68,8 @@ class Deploy extends BuildCommand {
 
       if (cliDetails?.accessToken) {
         try {
+          // store user id from token data for cdn deploy audit metadata
+          appInfo.auditUserId = getTokenData(cliDetails.accessToken)?.user_id
           // send audit log at start (don't wait for deployment to finish)
           await sendAppDeployAuditLog({
             accessToken: cliDetails?.accessToken,
@@ -131,7 +133,7 @@ class Deploy extends BuildCommand {
       for (let i = 0; i < keys.length; ++i) {
         const k = keys[i]
         const v = setRuntimeApiHostAndAuthHandler(values[i])
-
+        v.auditUserId = appInfo.auditUserId
         await this.deploySingleConfig({ name: k, config: v, originalConfig: values[i], flags, spinner })
         if (cliDetails?.accessToken && v.app.hasFrontend && flags['web-assets']) {
           const opItems = getFilesCountWithExtension(v.web.distProd)

diff --git a/src/lib/auth-helper.js b/src/lib/auth-helper.js
@@ -90,8 +90,22 @@ const setRuntimeApiHostAndAuthHandler = (_config) => {
   }
 }
 
+/**
+ * Decodes a JWT token and returns its payload as a JavaScript object.
+ *
+ * @function getTokenData
+ * @param {string} token - The JWT token to decode
+ * @returns {object} The decoded payload of the JWT token
+ * @throws
+ */
+const getTokenData = (token) => {
+  const [, payload] = token.split('.', 3)
+  return JSON.parse(Buffer.from(payload, 'base64'))
+}
+
 module.exports = {
   getAccessToken,
+  getTokenData,
   bearerAuthHandler,
   setRuntimeApiHostAndAuthHandler
 }
diff --git a/test/commands/lib/auth-helper.test.js b/test/commands/lib/auth-helper.test.js
@@ -1,4 +1,4 @@
-const { getAccessToken, bearerAuthHandler, setRuntimeApiHostAndAuthHandler } = require('../../../src/lib/auth-helper')
+const { getAccessToken, bearerAuthHandler, setRuntimeApiHostAndAuthHandler, getTokenData } = require('../../../src/lib/auth-helper')
 const { getToken, context } = require('@adobe/aio-lib-ims')
 const { CLI } = require('@adobe/aio-lib-ims/src/context')
 const { getCliEnv } = require('@adobe/aio-lib-env')
@@ -57,6 +57,17 @@ describe('getAccessToken', () => {
   })
 })
 
+describe('getTokenData', () => {
+  test('should decode JWT token and return payload', () => {
+    // Example JWT token with payload: {"user_id":"12345","name":"Test User"}
+    const exampleToken = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoiMTIzNDUiLCJuYW1lIjoiVGVzdCBVc2VyIn0.sflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c'
+
+    const result = getTokenData(exampleToken)
+
+    expect(result).toEqual({ user_id: '12345', name: 'Test User' })
+  })
+})
+
 describe('bearerAuthHandler', () => {
   beforeEach(() => {
     jest.clearAllMocks()