diff --git a/internal/start/start.go b/internal/start/start.go
index 9e7623379..b83776d9e 100644
--- a/internal/start/start.go
+++ b/internal/start/start.go
@@ -488,6 +488,29 @@ EOF
 				"GOTRUE_SMS_VONAGE_FROM="+utils.Config.Auth.Sms.Vonage.From,
 			)
 		}
+		if utils.Config.Auth.Hook.MFAVerificationAttempt.Enabled {
+			env = append(
+				env,
+				"GOTRUE_HOOK_MFA_VERIFICATION_ATTEMPT_ENABLED=true",
+				"GOTRUE_HOOK_MFA_VERIFICATION_ATTEMPT_URI="+utils.Config.Auth.Hook.MFAVerificationAttempt.URI,
+			)
+		}
+
+		if utils.Config.Auth.Hook.PasswordVerificationAttempt.Enabled {
+			env = append(
+				env,
+				"GOTRUE_HOOK_PASSWORD_VERIFICATION_ATTEMPT_ENABLED=true",
+				"GOTRUE_HOOK_PASSWORD_VERIFICATION_ATTEMPT_URI="+utils.Config.Auth.Hook.PasswordVerificationAttempt.URI,
+			)
+		}
+
+		if utils.Config.Auth.Hook.CustomAccessToken.Enabled {
+			env = append(
+				env,
+				"GOTRUE_HOOK_CUSTOM_ACCESS_TOKEN_ENABLED=true",
+				"GOTRUE_HOOK_CUSTOM_ACCESS_TOKEN_URI="+utils.Config.Auth.Hook.CustomAccessToken.URI,
+			)
+		}
 
 		for name, config := range utils.Config.Auth.External {
 			env = append(
diff --git a/internal/utils/config.go b/internal/utils/config.go
index 6f2799678..3e2261c04 100644
--- a/internal/utils/config.go
+++ b/internal/utils/config.go
@@ -200,6 +200,7 @@ var Config = config{
 			"workos":        {},
 			"zoom":          {},
 		},
+		Hook:      hook{},
 		JwtExpiry: 3600,
 		JwtSecret: defaultJwtSecret,
 	},
@@ -312,6 +313,7 @@ type (
 		EnableRefreshTokenRotation bool `toml:"enable_refresh_token_rotation"`
 		RefreshTokenReuseInterval  uint `toml:"refresh_token_reuse_interval"`
 		EnableManualLinking        bool `toml:"enable_manual_linking"`
+		Hook                       hook `toml:"hook"`
 
 		EnableSignup bool  `toml:"enable_signup"`
 		Email        email `toml:"email"`
@@ -348,6 +350,17 @@ type (
 		TestOTP             map[string]string `toml:"test_otp"`
 	}
 
+	hook struct {
+		MFAVerificationAttempt      hookConfig `toml:"mfa_verification_attempt"`
+		PasswordVerificationAttempt hookConfig `toml:"password_verification_attempt"`
+		CustomAccessToken           hookConfig `toml:"custom_access_token"`
+	}
+
+	hookConfig struct {
+		Enabled bool   `toml:"enabled"`
+		URI     string `toml:"uri"`
+	}
+
 	twilioConfig struct {
 		Enabled           bool   `toml:"enabled"`
 		AccountSid        string `toml:"account_sid"`
@@ -640,6 +653,25 @@ func LoadConfigFS(fsys afero.Fs) error {
 					return err
 				}
 			}
+
+			if Config.Auth.Hook.MFAVerificationAttempt.Enabled {
+				if Config.Auth.Hook.MFAVerificationAttempt.URI == "" {
+					return errors.New("Missing required field in config: auth.hook.mfa_verification_atempt.uri")
+				}
+			}
+
+			if Config.Auth.Hook.PasswordVerificationAttempt.Enabled {
+				if Config.Auth.Hook.PasswordVerificationAttempt.URI == "" {
+					return errors.New("Missing required field in config: auth.hook.password_verification_attempt.uri")
+				}
+			}
+
+			if Config.Auth.Hook.CustomAccessToken.Enabled {
+				if Config.Auth.Hook.CustomAccessToken.URI == "" {
+					return errors.New("Missing required field in config: auth.hook.custom_access_token.uri")
+				}
+			}
+
 			// Validate oauth config
 			for ext, provider := range Config.Auth.External {
 				if !provider.Enabled {
diff --git a/internal/utils/templates/init_config.test.toml b/internal/utils/templates/init_config.test.toml
index ca52dadc2..086b34dd8 100644
--- a/internal/utils/templates/init_config.test.toml
+++ b/internal/utils/templates/init_config.test.toml
@@ -110,6 +110,11 @@ template = "Your code is {{ `{{ .Code }}` }} ."
 [auth.sms.test_otp]
 4152127777 = "123456"
 
+[auth.hook.custom_access_token]
+enabled = true
+uri = "pg-functions://postgres/auth/custom-access-token-hook"
+
+
 # Configure one of the supported SMS providers: `twilio`, `twilio_verify`, `messagebird`, `textlocal`, `vonage`.
 [auth.sms.twilio]
 enabled = true
diff --git a/internal/utils/templates/init_config.toml b/internal/utils/templates/init_config.toml
index cc39163d8..55ea84d62 100644
--- a/internal/utils/templates/init_config.toml
+++ b/internal/utils/templates/init_config.toml
@@ -110,6 +110,12 @@ template = "Your code is {{ `{{ .Code }}` }} ."
 [auth.sms.test_otp]
 # 4152127777 = "123456"
 
+# This hook runs before a token is issued and allows you to add additional claims based on the authentication method used.
+[auth.hook.custom_access_token]
+# enabled = true
+# uri = "pg-functions://<database>/<schema>/<hook_name>"
+
+
 # Configure one of the supported SMS providers: `twilio`, `twilio_verify`, `messagebird`, `textlocal`, `vonage`.
 [auth.sms.twilio]
 enabled = false