v4.8.1 — Custom Domain Hook

Added support for a new Custom Domain Hook in the Delegated Administration Extension. This hook allows you to customize behavior when Multiple Custom Domains are in use.

v4.8.3 — Compatibility fix for deprecation of enabled_clients on connections

The extension has been updated to remove its dependency on the deprecated enabled_clients field on connections. If your tenant uses the Delegated Administration Extension, you may have been seeing deprecation warning errors in your tenant logs. This release resolves that.

Action recommended before July 15: Auth0 is deprecating legacy management of a connection's enabled clients. See the deprecation notice for full details. Updating to v4.8.3 ensures the extension is compatible with this change.

Upgrading

Not on v4.8.x: Manually update the extension in your Auth0 tenant by navigating to Extensions → Installed Extensions, locating the Delegated Administration Extension, and clicking Update.

Already on v4.8.x: No action required — the patch has been automatically applied.

We are excited to announce the next phase of our Google Workspace Directory Sync for Groups Early Access!

Building on our initial Early Access release, this update introduces Partial Group Sync, giving you exact control over which Enterprise Groups to import from your Google Workspace Directory into Auth0.

What's new:

• Targeted Group Sync: Instead of syncing your entire directory, you can now choose to synchronize only a specific subset of your Google Workspace groups. Easily manage your selected groups through either the Management Dashboard or Management API.

How to join Early Access: To join the EA program, please complete the EA Terms & Conditions form and contact your Auth0 Account Team to request activation and supporting documentation.

Following the successful Early Access period that began on August 11, 2025, we are excited to announce that MRRT is now available to all customers with full production support. This is a powerful enhancement that simplifies token management and modernizes app architecture across both native and web platforms

What's New in GA

✨ Auth0 Dashboard Support

• Configure MRRT policies directly in the Dashboard — No more Management API-only configuration
• Visual refresh token policy editor — Easily add, remove, and modify audience/scope policies for your applications
• Application settings integration — MRRT configuration is now available under the Application > Settings page

🔒 Enhanced Security with Client Grants Integration

• Client Grants enforcement — MRRT now respects Client Grants restrictions, ensuring applications can only request access tokens for APIs they are authorized to access
• Improved validation — Better error messages when attempting to configure unauthorized audience/scope combinations

🐛 Bug Fixes and Improvements (based on EA feedback)

• Fixed: Token exchange now properly validates scopes against both MRRT policy and Resource Server definitions
• Fixed: Improved error handling when requesting access tokens for deleted or modified Resource Servers
• Fixed: org_id claim is now correctly preserved in access tokens when using MRRT with Organizations
• Fixed: Refresh token rotation works correctly when exchanging tokens for different audiences
• Improved: Better logging in tenant logs (type: sertft) for MRRT token exchanges
• Improved: More descriptive error messages for unauthorized audience requests

📦 SDK Updates

• iOS SDK (Auth0.swift) — Full GA support
• Android SDK (Auth0.Android) — Full GA support

🛠️ Developer Tooling

• Auth0 CLI — Full support for configuring MRRT policies
• Terraform Provider — Complete resource configuration for refresh token policies
• Auth0 Deploy CLI — Full support for managing MRRT configurations in deployment pipelines

Documentation Links

• Multi-Resource Refresh Token Overview
• Configure and Implement MRRT
• Management API - Update Client

Demonstrating Proof of Possession (DPoP) sender constraining for Enterprise Connections is now available in Early Access. Customers can now establish Okta and OIDC Enterprise Connections with DPoP enabled on those connections. This is available on all plans with Enterprise Connections.

DPoP for Enterprise Connections enables Auth0 to generate DPoP proofs when performing token exchange and calling userinfo endpoints on upstream OIDC and/or Okta connections. DPoP is a core building block of FAPI2 and IPSIE (Identity Proofing and Secure Identity Exchange) ecosystems. It provides a lightweight, standards-based way to enforce proof-of-possession (of a private key) without the operational overhead of mTLS token binding.

Please see product documentation for details.

The call to action for the Universal Login forgot password flow has been updated from "Forgot Password" to "Reset Password." This aligns all Universal Login CTAs to be action-oriented. The updated text is available across all languages supported by Auth0. Customers who want to keep the original "Forgot Password" text can restore it via language customization at Branding > Universal Login > Edit text and translations.

Learn more: https://auth0.com/docs/customize/login-pages/universal-login/customize-text-elements

We are excited to announce the Early Access (EA) release of the My Organization API and a library of Embeddable UI Components for Organization Detail and Identity Provider Management. Every B2B product needs an admin console for customers to manage their own members and security. This new feature set empowers B2B SaaS developers to deliver robust self-service experience for admins in a matter of days, not months.

The My Organization API removes the need to build complex interfaces from scratch. With a secure governance layer that integrates seamlessly with your application, developers can easily deliver sophisticated, branded admin portals that meet the needs of even the largest customers without extra operational overhead.

Key Highlights:

My Organization System API: A purpose-built API designed for secure, scalable delegated administration, allowing customers to manage organization details and identity providers directly.

Embeddable UI Components: A library of white-label building blocks that can be dropped into any application to provide instant self-service management for SSO, domains, and members.

Security-First Primitives: Built-in support for cryptographically bound tokens via DPoP and automatic step-up authentication that triggers inline MFA for privileged actions.

Intelligent Onboarding: A new Dashboard-based onboarding wizard that simplifies configuration with safe defaults, automated entity setup, and a test environment.

B2B Observability and Governance: Enhanced tenant logs and per-organization rate limiting ensure full visibility into administrative actions while protecting tenant stability.

Interactive Developer Tools: A modernized API Explorer and extensive SDK support across multiple languages allow developers to integrate and test administrative activity at scale.

Why This Matters:

This release moves beyond simple API access to a unified governance layer for human and machine identity. Modern primitives like automatic least privilege ensures administrative sessions are always secure and context-aware. The result? Enterprise buyers can now get granular access levels and organization-specific rate limits they expect without the complexity of building custom backend middleware yourself.

This feature is available for all tenants. To begin, navigate to the __Applications > APIs __section of your Dashboard to activate the My Organization API.

To learn more, read the My Organization API documentation and if you have any feedback, give us a shout in our community channel!

Auth0 Akamai Supplemental Signals is now GA and available across the full authentication lifecycle.

This update allows developers to ingest risk scores and edge intelligence from Akamai Bot Manager and Account Protector into several new Action triggers: Pre-User Registration, Post-User Registration, Post-Challenge, and Post-Change Password.

By integrating these signals directly into the Auth0 pipeline, organizations can stop automated bot signups before an account is created and enforce real-time security logic during critical events like password resets or MFA challenges.

To learn more about Akamai Supplemental Signals and how to set it up review our online documentation here

Auth0 developers leveraging Express Configuration with Okta now have a more streamlined process for submitting their application to the Okta Integration Network.

The Okta Integration Network (OIN) Wizard has been updated with a new section for Auth0 developers that automatically populates the required configuration fields for OpenID Connect (OIDC), System for Cross-domain Identity Management (SCIM), and Global Token Revocation (GTR) integrations, based on information sourced from the Auth0 Dashboard.

To learn more about Express Configuration with Okta and the Okta Integration Network (OIN), click here.

We’re excited to announce that Multiple Custom Domains (MCD) is now Generally Available.

With Multiple Custom Domains, Enterprise customers can support multiple branded login experiences from a single Auth0 tenant. This helps you deliver more tailored authentication experiences across consumer applications, multi-brand businesses, and B2B SaaS use cases.

MCD GA includes support for:

• Configuring custom domains at scale within a single tenant
• A default domain for streamlined development and testing
• Passkey enrollment on custom domains
• B2B SaaS Self-Service SSO customizations
• Custom domain metadata in Advanced Customizations for Universal Login (ACUL)
• Support across Management SDKs, Authentication SDKs, and Forms

Visit Auth0 docs to get started.

We are excited to introduce Developer Preview, a new product release stage designed to get upcoming capabilities into your hands faster!

Developer Preview serves as a new release phase for new Auth0 product introductions. We utilize this stage when a new product capability will eventually be a paid feature, but we want to grant you access before the official pricing is applied.

Key Highlights:

• Free Production Access: You can use Developer Preview features in your production environments for free during the preview period.
• Clear Expectations: Participating in a Developer Preview provides a clear signal that the feature will include a paid component once it reaches General Availability (GA).
• Help Shape the Product: Getting these features to you early allows us to collect valuable feedback to iterate on prior to the GA launch.

To participate in an active Developer Preview, you will simply need to sign up and accept the specific opt-in requirements for that feature.

To learn more about how Developer Preview fits into our overall release process, visit our updated Product Release Stages documentation.

You can now manage custom authentication screen partials directly in the Auth0 dashboard with a purpose-built visual editor. Instead of encoding HTML as strings and sending them through the API, you get a proper code editor with syntax highlighting and live feedback.

The editor includes supporting tools:

• Code snippet library: pre-built snippets for common use cases like first and last name, phone number, terms of service checkboxes, and more, ready to insert with a click
• Template variable reference: a clickable list of all context variables available in the partial, for quick insertion without leaving the editor
• Actions shortcut: open Actions in a new window directly from the editor
• Interactive preview: click into entry points to edit HTML inline, see visually which entry point each element belongs to, and toggle entry point wrappers off to preview what the prompt looks like in the login flow

This update also expands what's possible with partials:

• Passkey screens: customize passkey authentication screens anywhere they appear in your flow; data capture is supported in the signup flow
• Custom database connections: data captured from partials is now surfaced in custom database connection scripts

Head over to the Auth0 Docs to learn more.

What's new:                                                                                                  

We've updated session handling in SAML-P and WS-Fed authentication flows to align with industry best practices and our existing OAuth2/OIDC behavior. Following a successful login via SAML-P or WS-Fed, the session ID will now be rotated and a new session cookie will be issued.

What this means for you:                                                                       

If your implementation includes client-side logic, downstream services, or integrations that read or store session IDs across SAML-P or WS-Fed login flows, you will now receive a new session ID after authentication completes. Please review and update any such implementations accordingly.

This change brings SAML-P and WS-Fed session handling in line with the existing behavior of OAuth2 and OIDC flows, ensuring consistent and secure session management across all authentication protocols.

We are excited to announce the release of auth0-springboot-api, a new official SDK designed to streamline authentication and security for Spring Boot backend applications.

Key Benefits:

• Supports Spring Boot 3.2+ (Java 17+) and built for the modern filter-chain pattern.Developers can secure an API by injecting Auth0AuthenticationFilter into their SecurityFilterChain — just configure auth0.domain and auth0.audience in application.yml and go.
• Abstracts the complexity of JWT validation. Developers no longer need to write fragile boilerplate code to check Audiences or Issuers. The SDK handles JWKS fetching, token validation, and scope-to-authority mapping (SCOPE_ prefix) out of the box.
• Supports DPoP with flexible enforcement modes (Allowed, Required, Disabled). Enterprise customers can enforce proof-of-possession token security per RFC 9449 with a single config property — no controller changes needed.

Getting Started:

• Quickstart
• Official Repo
• Examples

We’re excited to announce that Google Workspace Directory Sync for Groups is now available in Early Access (EA)!

This enhancement enables the automatic and reliable sync of group structures and memberships from Google Workspace directly into Auth0 Enterprise Groups.

Key Highlights:

• Automated group synchronization: Continuously mirror your Google Workspace groups into Auth0 to ensure your roles and access permissions remain accurate and up to date without manual intervention or relying on login events.
• Streamlined "Sync All" functionality: Enable groups synchronization for your entire Google Workspace Enterprise Connection through either the Management Dashboard or Management API in one step.
• View groups in Auth0: Groups provisioned using Google Workspace Directory Sync for Groups can be viewed in the Management Dashboard under Enterprise Groups, or retrieved through the Management API.
• Sync groups from Auth0 to external systems: Users and groups provisioned inbound to Auth0 can be synchronized outbound to external systems using Auth0’s Event streams feature.
• Use groups in the Post-Login Action: Use group information pushed from Enterprise identity providers in your Auth0 post-login actions to make access control and authorization decisions in Auth0.

To join the EA program, please complete the EA Terms & Conditions form and contact your Auth0 Account Team to request activation and supporting documentation.

Support for sender constraining tokens using Demonstrating Proof of Possession (DPoP) is now generally available on Enterprise plans.

Demonstrating Proof of Possession (DPoP) as defined in RFC9449, is an application level mechanism for binding tokens issued by Auth0 to the client application that requested that token. This is implemented using asymmetric key cryptography and with keys that are generated and managed by the client application - no public key infrastructure (PKI) is required.

Sender constraining tokens in this way using DPoP helps to:

• enhance security by mitigating against token theft and misuse by unauthorised parties
• improve user experience by being able to use longer-lived access tokens without significantly increasing security risk i.e. not requiring frequent user authentication

Additional features since the EA release includes replay protection against client applications sending repeated DPoP proofs, and the ability to require DPoP for public clients only, or all clients.

A number of Auth0 SDKs have shipped with support for DPoP:

• Authentication SDKs supporting DPoP for client applications: auth0-spa-js, auth0-react, auth0-angular, nextjs-auth0, auth0-flutter, Auth0.Swift and Auth0.Android
• Authentication SDKs supporting DPoP for APIs/Resource Servers:express-oauth2-jwt-bearer, auth0-api-js, auth0-api-python, aspnetcore-api
• Management SDKs supporting DPoP configuration: terraform-provider, go-auth0,deploy-cli, node-auth0, auth0.net

For more details, see the product documentation.

Boost Passkey adoption by enabling shared enrollment across subdomains. You can now customize the RP ID to allow a single Passkey to authenticate users across multiple applications under the same root domain.Currently in EA

Learn more about customizing RP ID for Passkeys:

Configure Passkey Policy

Native Passkeys for Mobile Applications - Auth0 Docs - Native Passkeys for Mobile Applications

Passkeys - Auth0 Docs - Passkeys Docs

You can now stream real-time metrics for Auth0 Management API usage and rate limit events directly to your observability platform.

These new metric streams give you detailed telemetry on every API request, including success/failure status, specific failure reasons like rate limits, and diagnostic data such as Client ID and request path. This allows you to proactively monitor for rate limit issues, troubleshoot API errors faster, and correlate Auth0 performance with your own application's health, all from within your existing monitoring tools.

We've included out-of-the-box support for Datadog, and you can connect to New Relic, Prometheus, and Splunk using OpenTelemetry.

This feature is now available in Beta. To get started, check out our Metric Streams documentation.

We’re excited to announce that we added new options for Forms HTTP Vault Connections!

This new set of options allows you to configure different authorization methods for your HTTP Request Flow Actions.

What's new:

• Client Credentials Support: Configure OAuth Client Credentials and keep the access token fresh for your HTTP Request Flow Actions authorization.
• API Key Support: Authorize your HTTP Request Flow Actions using an API Key, defining the header or query param key and secret value.
• Basic Auth Support: Configure and reuse Basic Auth authorization for your HTTP Request Flow Actions, helping you replace the legacy built-in option.

To improve the end-user experience and mitigate message spam, Brute Force Protection now proactively prevents the sending of passwordless email and SMS codes to users who are already blocked.

This update ensures that restricted users cannot continue to trigger unsolicited notifications, closing a gap in our abuse prevention coverage and reducing unnecessary messages

For more information on Brute Force Protection, check out our online documentation.

We are excited to announce that Actions Transaction Metadata is now GA.

This feature allows you to set, share, and access, custom data between Actions run in the same post-login execution.

Functionality includes:

• Accessing Transaction Metadata: A new event.transaction.metadata object within post-login Actions that contains the custom key/value pairs, which can be accessed through key.
• Setting Transaction Metadata: A new api.transaction.setMetadata function within post-login Actions that serves as interface to set the custom key/value pairs.
• Immediate Access: Values are available immediately after being set in the calling Action and subsequent Actions.
• Values Types: Values can be boolean, number, string, or string serialization of object and array.
• Docs: Actions Transaction Metadata

We are excited to announce that Actions Modules is now available in Early Access.

This feature allows you to create, manage, and share reusable code across different Actions within your Auth0 Tenant.

Early Access functionality includes:

• Simplified Code Management: Reduce code duplication and improve organization by writing common logic once and importing it into any Action where it is needed. This makes your Actions easier to maintain and update.
• Improved Performance: Move expensive initialization work into a module that can be reused across multiple Actions. This avoids re-running the same setup code in every execution.
• Cross-trigger Access: Actions Modules become available for every Action Trigger type.
• Independent Secrets and Dependencies: Actions Modules have independent secrets and dependencies from Actions.
• Docs: Actions Modules

Description

Native to Web SSO enables seamless single sign-on from native mobile applications to web applications. Users authenticated in a native mobile app can now transition to web content without re-authenticating, providing a frictionless cross-platform experience.

What's New in GA

Building on the Early Access release, GA includes the following enhancements:

• Auth0 Dashboard Support: Configure Native to Web SSO directly from the Auth0 Dashboard, no longer limited to Management API configuration
• Refresh Token Metadata in Actions: Access parent refresh token metadata within Session Transfer Actions, enabling richer context for customization and security decisions during the session transfer flow
• Step-up Authentication Support: Trigger MFA challenges during the Native to Web SSO flow for enhanced security when accessing sensitive web content
• React Native SDK Support: Native to Web SSO is now available in the Auth0 React Native SDK, supporting both Hooks (useAuth0) and class-based approaches
• Organizations Support: Use Native to Web SSO with Auth0 Organizations to maintain organization context when transferring sessions from native to web
• Web SDK Integration Examples: New code examples for Auth0 SPA SDK (@auth0/auth0-spa-js) and Auth0 React SDK (@auth0/auth0-react) for receiving session transfer tokens in web applications
• Enhanced Monitoring & Troubleshooting: Comprehensive warning log events help developers troubleshoot session transfer validation failures

Core Features

• Session Transfer Tokens (STT): Native apps can request a secure, short-lived token to transfer the authenticated session to web applications
• Seamless Web Session Creation: Exchange STT for a web session without user interaction
• Cross-Platform SSO: Maintain authentication state when moving between native and web contexts
• Session Transfer Actions: Customize the session transfer flow with Auth0 Actions

How It Works

1. User authenticates in the native mobile app using Auth0
2. Native app requests a Session Transfer Token via the Authentication API
3. When opening web content (WebView or browser), the STT is included in the authorization request
4. Auth0 validates the STT and creates a web session
5. User is automatically authenticated in the web application

Benefits

• Improved User Experience: Eliminate re-authentication friction when moving from native to web
• Enhanced Security: STTs are short-lived, single-use, and bound to the original session
• Easy Integration: Works with existing Auth0 mobile SDKs (iOS, Android, React Native)

Getting Started

• Native to Web SSO Overview
• Configure and Implement Native to Web SSO
• Native to Web SSO and Sessions
• Mobile to Web Payment Flows Quickstart
• iOS SDK Documentation
• Android SDK Documentation
• React Native SDK Documentation
• Auth0 CLI
• Terraform Provider Documentation
• Deploy CLI Documentation

Availability

This feature is now generally available for all Auth0 Enterprise customers.

We’ve expanded our Self-Service SSO capabilities with two new, highly-requested IdP templates for Okta SAML and Auth0 SAML. This update streamlines the configuration process for your enterprise customers, enabling faster, more reliable SSO integration.

Guided, Step-by-Step Configuration

Previously, setting up connections for providers like Okta SAML required using a generic template. Now, your customers will get a purpose-built, guided experience. Our new templates provide detailed, step-by-step instructions with screenshots specific to each IdP, reducing complexity and eliminating guesswork for your customers' IT teams.

Key Enhancements:

• New Templates: A dedicated guide for customers who use Okta or Auth0 as their identity provider, making one of the most common connection types easier than ever.
• Reduced Support Load: By making the process more intuitive for your customers, we help reduce your team's support burden and speed up your enterprise onboarding flow.

Learn more about Self-Service SSO in the product documentation.

We’re excited to announce that we added Flows Auth0 Send SMS and Auth0 Make Call Actions!

This new feature allows you to send phone messages from Flows using the customized Phone Provider at your Auth0 Tenant.

What's new:

• Phone Providers: take advantage of the supported phone providers that can be configured at your Auth0 Tenant.
• Custom Phone Provider: write custom code to send your phone messages to unsupported phone providers using the Custom Phone Provider Action.
• Custom Properties: customize Send SMS Action and Make Call Action for the outgoing phone messages including from, to, message, and variables.
• Liquid Syntax: use Liquid syntax at your phone message.

What's New

Session Metadata allows you to attach custom key–value data to a user's session using Actions or the Auth0 Management API. This enables you to persist contextual data throughout the session lifecycle, powering richer integrations, stronger audit trails, and personalized session behavior.

Key capabilities:

• Set and retrieve metadata in Actions using api.session.setMetadata(key, value) and event.session.metadata
• Manage metadata via Management API with GET and PATCH on /api/v2/sessions/{id}
• Delete individual keys using api.session.deleteMetadata(key) or evict all metadata with api.session.evictMetadata()
• Include session metadata in OIDC Back-Channel Logout tokens for downstream systems to receive context during logout events

Example usage in Actions:

exports.onExecutePostLogin = async (event, api) => {
  api.session.setMetadata("deviceName", event.request.user_agent);
  api.session.setMetadata("loginRegion", event.request.geoip?.countryCode);
  api.session.setMetadata("orgContext", event.organization?.id);
};

Limits:

• Maximum of 25 key-value pairs per session
• Each key and value must be a string with max 255 characters
• Metadata is stored as a flat JSON object (no nesting)

Use Cases

• Self-service device management: Store device names or login locations for user-facing session management UIs
• Keep Me Signed In: Persist user preferences to customize session behavior
• Organization context: Store organization information for multi-tenant applications
• Audit and compliance: Include session context in logout tokens for downstream audit systems

Availability

Session Metadata is now Generally Available for all Enterprise tenants.

No API or behavior changes from Early Access.

Learn more

• Session Metadata Documentation
• Configure Session Metadata
• Use Case: Organization Information in Session Metadata

We're introducing Auth0 Agent Skills Beta- structured guidance that teaches AI coding assistants how to implement Auth0 authentication correctly across any framework.

Agent Skills are AI-native instructions that work with popular coding assistants like Claude Code, Codex, Gemini CLI, etc... They provide production-ready code patterns, security best practices, and step-by-step implementation flows directly within your development workflow.

Key Features

• Framework Coverage: Support for React, Next.js, Vue, Angular, Express, Nuxt, React Native, and more
• Security First: Built-in best practices for MFA, protected routes, and secure token handling
• Migration Support: Guided migration from Firebase Auth, AWS Cognito, Supabase, and other providers
• Easy Installation: Install via CLI (npx skills add auth0/agent-skills) or directly in Claude Code plugins
• Production Ready: Generate complete authentication implementations in minutes

Getting Started

• Install Auth0 Agent Skills: npx skills add auth0/agent-skills
• Then ask your AI assistant: "Add auth0 to my app" and you're ready to go.

Learn More

• auth0/agent-skills repo
• Documentation

We're excited to announce that Refresh Token Metadata is now available in Early Access for Enterprise customers.

Refresh Token Metadata allows you to attach custom key-value pairs to refresh tokens, enabling richer context storage and more personalized authentication experiences.

What's New

Store Custom Data on Refresh Tokens

You can now attach up to 25 custom key-value pairs to each refresh token. This metadata persists throughout the token's lifecycle and can be accessed or modified via the Management API.

// In Post-Login Action
exports.onExecutePostLogin = async (event, api) => {
  api.refreshToken.setMetadata('deviceName', event.request.user_agent);
  api.refreshToken.setMetadata('loginRegion', event.request.geoip?.countryCode);
  api.refreshToken.setMetadata('orgContext', event.organization?.id);
};

Management API Support

Access and manage refresh token metadata programmatically:

• GET /api/v2/refresh-tokens/{id} - Retrieve token with metadata
• PATCH /api/v2/refresh-tokens/{id} - Update token metadata
• DELETE /api/v2/refresh-tokens/{id} - Revoke token

Learn more about Refresh Token Metadata in our documentation

To strengthen defenses across the identity surface, we have added millions of breached phone credentials to our detection capabilities within Credential Guard

This enhancement allows organizations using Phone as an Identifier to proactively identify compromised credentials and trigger automated security responses, such as login blocks or password resets.

This expansion ensures that phone-based authentication is as secure as traditional email-based methods without impacting system performance.

For more information on Credential Guard, check out our online documentation.

We’re excited to roll out a highly requested update to the mobile login experience! We know that every tap matters when it comes to user conversion, so we’ve eliminated a common friction point in the authentication journey.

Previously, users might have been met with a standard alphabetical keyboard when prompted for a code. Now, for all SMS and Email OTP challenges, mobile devices will automatically surface the numeric keyboard. This change spans 16+ touchpoints—including MFA enrollment, Passwordless login, and password resets—ensuring your authentication flow feels native, intuitive, and fast.

What do you need to do?

Nothing at all. This optimization is automatically enabled for all customers using the Universal Login experience. Your users are already enjoying a smoother, "fat-finger" proof login today!

Experience it yourself

Trigger an MFA challenge or Passwordless login from your mobile device to see the new flow in action.

• Visit your Dashboard

To provide a more robust defense against sophisticated automated threats, Auth0 has integrated JA4 signals into the core of our Bot Detection machine learning engine.

The addition of JA4 signals allows our models to surface and mitigate sophisticated automated threats that traditional signals often miss.

This enhanced security feature is available now to all Enterprise customers with the Attack Protection add-on. The rollout is currently underway and will be completed in the coming weeks, aligned with individual customer release schedules.

To learn more about Auth0's Bot Detection Product, click here

We’re pleased to announce that support for Groups within Auth0’s Inbound SCIM for Enterprise Connections feature is now in limited early access!

This release is useful for developers that support users and groups natively in their applications, and need to support integrations with Enterprise identity providers that use SCIM 2.0 to remotely manage these users and groups.

New group capabilities added:

• SCIM groups endpoint per connection - Each Enterprise connection gets dedicated SCIM /users and /groups endpoints and dedicated credentials that enable provisioning, de-provisioning, and management of the users and groups specific to that connection.

• Sync groups from Auth0 to external systems - Users and groups provisioned inbound to Auth0 can be synchronized outbound to external systems using Auth0’s Event streams feature.

• Use groups in the Post-Login Action - Use group information pushed from Enterprise identity providers in your Auth0 post-login actions to make access control and authorization decisions in Auth0.

• View groups in the Auth0 Dashboard - All groups provisioned using SCIM can be viewed in the Auth0 Dashboard under a new Enterprise Groups tab, as well as per user under the Users section.

How to get access

To join the Limited EA program and access SCIM Groups for Enterprise connections, complete the EA Terms & Conditions form and contact your Auth0 Account Team to request activation and supporting documentation.

We’re excited to announce that Google Workspace User Directory Sync is now generally available! This feature keeps Auth0 user profiles up to date by syncing users from your Google Workspace directory into Auth0 - so user profile updates don’t depend on login events.

Key highlights of this release:

• Dashboard configuration: Enable and manage inbound user directory sync directly from the Auth0 Dashboard on your Google Workspace enterprise connection (including attribute mapping, automated sync, and manual sync).
• Management API support: Programmatically enable, configure, and run inbound user directory sync using the Management API Connections endpoints.
• Self-Service SSO experience: Your customers’ IT teams can configure Google Workspace inbound directory sync alongside SSO and SCIM provisioning, and manage user onboarding/offboarding directly.

Learn more:

• Sync Google Workspace Users to Auth0 with Directory Sync
• Management API Connection Endpoints

We are excited to release the Per-Member Authorization feature that introduces roles to the FGA Dashboard! This allows you to grant appropriate levels of access based on users’ needs.

We are enhancing the permission model from a single admin to Groups that can be assigned roles. Groups are an organizational container for managing permissions and offer convenience when assigning roles to multiple users at once.

• New Roles: We are introducing three new granular roles to sit alongside the previous admin role (now renamed Account Owner):
  • Group Manager: An account-level role for managing teams without accessing FGA stores directly.
  • Store Editor: A store-level role that can modify models and tuples but cannot manage groups.
  • Store Viewer: A read-only role useful for ops teams or sales engineers who need visibility without the ability to impact systems.
• Groups: Account Owners or Group Managers can create groups (ex., "IT Group" or "Dev Team") and assign members to them. All members automatically inherit the permissions defined at the group level.
• Scoping: Crucially, these roles can be scoped to specific stores. For example, this allows a single user, to be an Editor for a "Staging" store but restricted to Viewer for a "Production" store.

For more details, refer to Auth0 FGA Dashboard’s Roles documentation.

We’ve integrated Organization Discovery by Domain into the Self-Service SSO workflow, eliminating manual backend configuration and providing a seamless login experience for your enterprise users.

Zero-Touch Discovery Previously, verifying a domain only configured the SSO connection. Now, when a ticket is scoped to a single Organization, verified domains are automatically synced to the Organization record. This enables Organization Domain Discovery instantly, allowing end-users to log in with just their email address.

Key Enhancements:

• Verify One, Apply Everywhere: Verified domains are added to both the Connection and the Organization simultaneously.
• Domain Association: If a domain was previously verified for an Organization, customers can now simply associate it with a new connection, skipping repeat DNS TXT steps.
• Deterministic Routing: By gating this to a 1:1 mapping, we ensure users are routed to the correct IdP every time.

Learn more about Self-Service SSO in the product documentation.

By using Self-Service SSO Domain Verification for Organization Discovery by Domain, you agree to the applicable Free Trial terms in Okta’s Master Subscription Agreement and Okta’s Privacy Policy during use of the Early Access feature. The Free Trial terms can be found within the Master Subscription Agreement at https://www.okta.com/agreements.

We are excited to announce the FGA Logging UI! This introduces a web interface to the existing logging API, giving you the ability to view FGA logs directly in the FGA Dashboard.

Users can now filter, sort and inspect access logs directly from the FGA Dashboard, significantly reducing the time required for debugging and troubleshooting issues.

The Logging UI provides an easy-to-use visual interface with capabilities to sort and filter log entries.

• Visual Interface: Users can now immediately view a list of log entries for operations like Check() and Write() in the main viewing area of the UI. Drilling down into a single log entry will open a side panel for a full detailed view of the log data in JSON format, with a convenient copy-and-paste button to quickly copy and paste log data into another application for viewing or saving.

• Date/time ranges: Viewing log data can be daunting due to sheer volume. The UI has a convenient date picker to set the time-bound log retrieval window.

• Filtering: We’ve introduced a simple search box for filtering. Its simplicity does not take away from its power as the search accepts Lucene syntax (a subset) for advanced querying of logs. Now, retrieving all write operations is as easy as typing request.operation:"Write" into the search box.

• Sorting: The UI supports standard sorting of fields for ascending and descending ordering of data, used in situations, for example, when quickly needing to toggle between seeing “newest first” or “oldest first” log data.

For more details, refer to Auth0 FGA’s logging documentation.

We are pleased to announce that API Access Policies for Applications is now Generally Available (GA) for all Auth0 customers. This feature allows you to specifically control which applications can request access tokens for your APIs, covering both user and machine-to-machine access.

Previously available only via the Management API, these policies can now be fully configured directly within the Auth0 Dashboard. The new UI allows you to easily visualize and manage permissions per API, ensuring that only authorized applications can access sensitive resources.

Key Benefits:

• Granular Control: Define distinct access policies for user access vs. machine-to-machine access.
• Enhanced Security: Use the require_client_grant policy to ensure only explicitly authorized applications can obtain tokens for the subset of allowed permissions.
• Simplified Management: Configure these settings visually through the new Dashboard UI.

To learn more, navigate to Applications > APIs > Application Access in the dashboard or read our reference docs.

We’re excited to introduce Universal Custom Password Hash in Limited Early Access (EA), enabling user migrations into Auth0 without disrupting sign-ins - even when your existing system uses custom or legacy password formats.

With Universal Custom Password Hash you can bring existing users over through Bulk Import and use Auth0 Actions to script custom password validation logic for your environment so users can continue signing in with their current credentials.

Key Capabilities:

• Support for custom password formats during migration: Migrate users from legacy and proprietary systems while maintaining the existing sign-in experience.
• Custom validation logic with Auth0 Actions: Write and deploy password validation logic that matches your current security architecture using Actions.
• Seamless end-user experience: Users continue to sign in as usual - less password resets and less support tickets means reduced rollout friction.
• Built for enterprise migrations: Designed for complex environments where password handling varies across regionals, applications, or historical platforms.

Why It Matters:

• Accelerate migrations by reducing friction and avoiding user disruption.
• Lower helpdesk load by minimizing password reset spikes during cutover.
• Increase confidence in large-scale rollouts with flexible support for legacy password formats.

How to Join EA: Universal Custom Password Hash is available through Limited Early Access enrollment. To request access and supporting documentation, contact your Auth0 Account Team and complete the Limited EA Terms & Conditions process.

The enabled_clients field, within the connection object, is deprecated in the following scenarios:

• Retrieving multiple connections using (GET - /api/v2/connections).
• Retrieving a connection using (GET - /api/v2/connections/{id}).
• Updating a connection using (PATCH - /api/v2/connections/{id}).

As an alternative to the deprecated functionality, two new Management API endpoints are available:

• Get enabled clients for a connection.
• Update enabled clients for a connection.

We have provided additional information and timelines for enforcing this change across tenants through a dashboard and support center notification. It is important to note that when creating a new connection via the (POST - /api/v2/connections) endpoint, the enabled_clients field remains supported.

As part of our Continuous Session Protection, you can now configure ephemeral (non-persistent) sessions using Actions. This allows enterprise customers to dynamically control whether a session is stored in a persistent cookie or only in memory.

Ephemeral sessions:

• Exist only in memory and are cleared when the browser or app is closed.
• Are ideal for high-sensitivity workflows such as step-up authentication or use on public devices.
• Can be configured per session using api.session.setCookieMode("non-persistent") in post-login Actions.

This feature, previously in Early Access, is now in General Availability and available to all Enterprise tenants.

Learn more:

• Set Session Persistence with Actions
• Session Lifecycle
• Use Ephemeral Sessions with Actions to configure Keep Me Signed In

We are pleased to announce the expanded availability of Auth0 Private Cloud on Microsoft Azure, now supporting the 30x and 30x Burst performance tiers.

This update enables enterprise organizations to leverage high-scale, dedicated identity infrastructure while maintaining their commitment to the Azure ecosystem.

Performance at Scale

• 30x
  • Sustained Capacity: 3,000 RPS
  • Peak Burst Capacity: 3,000 RPS
  • Best for: Consistent, high-volume baseline traffic
• 30x Burst
  • Sustained Capacity: 1,500 RPS
  • Peak Burst Capacity: 3,000 RPS
  • Best for: Variable traffic with high-intensity spikes

Why This Matters

• Compliance & Residency: Deploy to the Azure region of your choice to satisfy localized data residency and compliance needs at scale.
• Financial Strategy: Burn down your existing Microsoft Azure Consumption Commitments (MACC) by investing in the market-leading identity platform.
• Operational Excellence: Benefit from a fully managed, dedicated instance that provides you infrastructure isolation and flexibility as you grow.

Get Started

These tiers are available immediately for new and existing customers. Please visit Auth0 documentation for more info.

We’re excited to announce the Open Early Access (EA) of Custom Token Exchange. OAuth 2.0 Token Exchange allows to trade one security token for another (typically an Access Token). With Custom Token Exchange, you can run Auth0 Actions as part of that exchange, giving you a flexible way to inject custom logic and implement your own authentication and authorization semantics. This lets you validate and authorize the request, and precisely set the user for every token exchange transaction.

Key highlights of this release:

• Automatic Entitlement: The feature is now automatically available to all Enterprise and B2B Pro customers to be used for testing and production (no manual enablement required).
• Organizations Support: Full compatibility with Organizations. You can now pass the organization parameter in the request or use the new setOrganization function within your Action.
• Enhanced Security: Includes Multi-Factor Authentication (MFA) support during the exchange.

To learn more, read the reference documentation.

We're excited to announce a significant update to the Security Center, marking the first major enhancement since last year's introduction of Thresholds and Alerts! These new capabilities drastically improve your ability to monitor, analyze, and respond to security threats with greater precision and speed.

What's New:

• Granular Filtering by Applications and Connections: You can now filter security metrics within the Overview and Threat Monitoring pages by specific applications and connections. This allows for a more detailed examination of your tenant traffic, enabling faster incident triage and more effective troubleshooting by visualizing subsets of data.
• Deeper Insights into Top Threat Behaviors: We've introduced new charts to highlight the top 5 connections and IPs associated with various security metrics. These groupings provide quick insights into potential anomalies and common threat behaviors, empowering you to identify and address risks more efficiently.
• Consolidated Threat Monitoring View: The Threat Monitoring page has been revamped to offer a more intuitive and unified experience. This updated view, combined with the new filtering options by application and connection, streamlines your ability to track and respond to threats effectively.

These enhancements are available on all public cloud envirovments and gradually rolling out to private cloud environments.

Explore the updated Security Center today to take control of your security insights and strengthen your security posture!

The MyAccount API Explorer now has an updated experience! Using MyAccount API, customers can build self-service management experiences at scale, powered directly from their applications.

To learn more about the MyAccount API feature, click here.

The improved MyAccount API Explorer experience includes:

• modernization of the look & feel
• interactivity between the response schema and response example
• full endpoint URL readily available to copy
• ability to quickly navigate to other API Explorers

Navigate to: https://auth0.com/docs/api/myaccount to try it out!

We’re excited to announce that we added Flows Auth0 Send Email Action!

This new feature allows you to send emails from Flows using the customized Email Provider at your Auth0 Tenant.

What's new:

• Email Providers: take advantage of the supported email providers that can be configured at your Auth0 Tenant.
• Custom Email Provider: write custom code to send your emails to unsupported email providers using the Custom Email Provider Action.
• Custom Properties: customize the settings for the outgoing emails including sender, recipient, subject, message, and variables.
• Liquid Syntax: use Liquid syntax at your email subject and message.

To ensure the highest security standards for your identity infrastructure, we are retiring specific weak TLS 1.2 cipher suites. This change affects all connections to Auth0 service endpoints and web applications, specifically:

• Tenant Domains: All default (e.g., [tenant].auth0.com) and Custom Domains for both Public and Private Cloud.
• Auth0 Tools: The Dashboard (manage.auth0.com), Marketplace, and Support Center.
• Infrastructure: The Auth0 CDN.

Cipher Suites Scheduled for Removal: The following ciphers are being deprecated. For cross-reference, we have provided the unique Hex Code, IANA name, and a link to the OpenSSL equivalent.

• 0xC0,0x09 - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (https://ciphersuite.info/cs/TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA/)
• 0xC0,0x0A - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (https://ciphersuite.info/cs/TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA/)
• 0xC0,0x23 - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (https://ciphersuite.info/cs/TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256/)
• 0xC0,0x24 - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (https://ciphersuite.info/cs/TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384/)
• 0xC0,0x13 - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA https://ciphersuite.info/cs/TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA/)
• 0xC0,0x14 - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (https://ciphersuite.info/cs/TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA/)
• 0xC0,0x27 - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (https://ciphersuite.info/cs/TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256/)
• 0xC0,0x28 - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (https://ciphersuite.info/cs/TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384/)
• 0x00,0x9C - TLS_RSA_WITH_AES_128_GCM_SHA256 (https://ciphersuite.info/cs/TLS_RSA_WITH_AES_128_GCM_SHA256/)
• 0x00,0x2F - TLS_RSA_WITH_AES_128_CBC_SHA (https://ciphersuite.info/cs/TLS_RSA_WITH_AES_128_CBC_SHA/)
• 0x00,0x9D - TLS_RSA_WITH_AES_256_GCM_SHA384 (https://ciphersuite.info/cs/TLS_RSA_WITH_AES_256_GCM_SHA384/)
• 0x00,0x35 - TLS_RSA_WITH_AES_256_CBC_SHA (https://ciphersuite.info/cs/TLS_RSA_WITH_AES_256_CBC_SHA/)
• 0x00,0x3C - TLS_RSA_WITH_AES_128_CBC_SHA256 (https://ciphersuite.info/cs/TLS_RSA_WITH_AES_128_CBC_SHA256/)
• 0x00,0x3D - TLS_RSA_WITH_AES_256_CBC_SHA256 (https://ciphersuite.info/cs/TLS_RSA_WITH_AES_256_CBC_SHA256/)

Additional information is available through the Auth0 dashboard and Support Center notification.

We are excited to announce that Advanced Customizations for Universal Login (ACUL) is now generally available. ACUL enables developers to create custom, client-rendered user interfaces for Universal Login using their preferred frontend technologies.

Key capabilities in this release:

• Full Screen Parity: Support for customizing all Universal Login screens and flows, including Login, Signup, MFA, Password Reset, and more.
• New SDKs: Production-ready React and TypeScript SDKs to accelerate development.
  • NPM: @auth0/auth0-acul-js | @auth0/auth0-acul-react
  • GitHub: auth0-acul-js | auth0-acul-react
• Visual Editor: A new Dashboard UI for managing screen configurations and assets.
• Improved Developer Tooling: Major updates to Auth0 CLI to support scaffolding (auth0 acul init), local mocking, testing, and CI/CD deployments.
• Production-Ready Sample App: A robust sample repository featuring implementations of 34 authentication screens built with React 19 and Tailwind 4.

ACUL allows you to leverage all the security benefits of Universal Login, such as bot protection and threat intelligence, while providing complete control over the visual presentation and user journey.

Read the Documentation

We’re excited to announce that Google Workspace User Directory Sync is now available in Limited Early Access (EA) with major enhancements to configuration, usability, and performance.

This feature automatically synchronizes users from your Google Workspace directory into Auth0 - ensuring user profiles stay accurate and up to date without relying on login events.

What’s New in EA:

• Management Dashboard Support: You can now enable and configure Google Workspace Directory Sync directly from the Auth0 Management Dashboard.
• Integrated with Self-Service SSO: We’ve expanded the Self-Service SSO Provisioning flow to include Google Workspace Directory Sync alongside SCIM. Your customers’ IT teams can now configure SSO, SCIM provisioning, and Google Workspace Directory Sync through a unified setup flow, and manage user onboarding/offboarding directly, with less manual work for you.
• Performance Improvements: Backend optimizations reduce sync latency and ensure stable performance under high load.

Why It Matters:

• Eliminates reliance on user login events for updating user data in Auth0
• Reduces identity drift and accelerates user lifecycle management
• Delegates Directory Sync setup to your customers’ IT administrators.

How to Join EA: To join the Limited EA program and access Google Workspace User Directory Sync, complete the EA Terms & Conditions form and contact your Auth0 Account Team to request activation and supporting documentation.

This new Token Vault capability allows Client Applications to obtain access tokens from third-party APIs (resource servers), through an authorization flow that is coordinated by a common Identity Provider implementing the Identity Assertion Authorisation Grant standard. This new standard enables requesting applications such as AI Agents to obtain access tokens where user consent is managed by policy at the Identity Provider.

To evaluate the Requesting App for Cross App Access, please contact Auth0. For more details, see the product documentation.

We are excited to announce the release of Auth0.Aspnetcore.Authentication.Api, a new official SDK designed to streamline authentication and security for ASP.NET Core backend applications.

Key Benefits:

• Supports .NET 8.0+ and built for the modern "middleware" pattern. Developers can now secure an API with a single line: builder.Services.AddAuth0ApiAuthentication(...).
• Abstracts the complexity of JWT validation. Developers no longer need to write fragile boilerplate code to check Audiences or Issuers. The SDK enforces security best practices out of the box.
• Supports DPoP with flexible enforcement modes (Allowed, Required, Disabled). Enterprise customers can now enforce a higher level of security with minimal code changes.

Getting Started:

• Quickstart
• Official Repo
• Examples

Adaptive MFA now allows administrators to configure device remembrance durations (TTL) for the New Device assessor. The default remains at 30 days, but can now be customized to any value between 1–365 days.

When users log in successfully on a remembered device, that device’s TTL automatically refreshes to the currently configured value.

This enhancement provides greater flexibility to balance security and user convenience, helping teams align device remembrance with organizational policies and login patterns.

Configuration is available through both the Dashboard and the new Adaptive MFA Management API endpoints, enabling automated setup and management of device remembrance.

Learn more about configuration options in our Adaptive MFA documentation.
For details on the new Adaptive MFA Management API endpoints, visit the Risk Assessment API documentation.

We’re pleased to announce that Express Configuration with Okta is now generally available for Auth0 applications in the Okta Integration Network!

Express Configuration automates how your enterprise customers using Okta set up identity integrations with your Auth0 application. This includes configuring OpenID Connect (OIDC) for single sign-on, System for Cross-domain Identity Management (SCIM) for automated user onboarding and offboarding, and Global Token Revocation (GTR) for centralized session management with Universal Logout.

To learn more about Express Configuration with Okta, click here.

This feature is available immediately in all public cloud environments, and will be rolled out to private cloud environments as per their release pipeline.

We are thrilled to announce a major milestone: the General Availability (GA) of Auth0 for AI Agents!

Auth0 for AI Agents is a suite of features to empower developers to build secure agentic applications and experiences. The solution suite includes updates to: Token Vault for secure token based access to third-party APIs and applications; and Asynchronous Authorization for user approvals to keep the human in the loop for sensitive agent actions.

Here are some highlights of the latest updates to the solution suite:

• A new connected accounts flow (with connection purpose) to easily establish federated connections, initiated by client applications.
• Support for Microsoft Entra (Azure AD) and Google Workspace as enterprise connected accounts.
• Support exchanging a first-party access token for a third-party access token at the Token Vault.
• Send notifications for asynchronous authorization flows using email or the Guardian App, with client initiated backchannel authentication (CIBA).
• Revamped Quickstarts and SDKs to delight developers.
• Pricing and packaging for Essential, Professional, and Enterprise plans.

You can read more about the solution suite and the component features in the Auth0 for AI documentation.

We’ve refined the logic behind how Security Center metrics are calculated to provide more accurate and actionable insights.

Metrics now reflect IP activity using the following logic:

When an IP address triggers more than 10 relevant events for a given metric within a single hour, it will now be counted toward that metric.

This update ensures greater consistency and reliability across event-based metrics within the Security Center.

For more details on which metrics are affected and their updated definitions, see the Security Center Metrics documentation

Auth0 is thrilled to announce that Auth for MCP is officially in Early Access! This release extends the power of Auth0’s standards-based authorization platform to the Model Context Protocol (MCP), securing your MCP servers, MCP clients, AI agents and the APIs they interact with.

With Auth for MCP, Auth0 integrates OAuth 2.1 and OpenID Connect directly into the MCP ecosystem, ensuring consistent access control and auditability across every agentic interaction.

Key capabilities include:

• MCP Server Authorization: Protect your MCP Servers by leveraging Auth0’s Universal Login to authorize access. You can leverage social, enterprise, and custom identity providers with full support for MFA and advanced attack protection.

• Standards-based discovery and registration: Allow MCP clients and servers to automatically discover authorization endpoints and dynamically register with Auth0. This removes manual setup and ensures consistent configuration across your environment.

• Leveraging your Existing APIs: Enable MCP clients to securely call internal APIs on behalf of users using short-lived, purpose-scoped tokens.

• Connecting to Third party APIs using Token Vault: Securely store, refresh, and revoke access tokens for third-party APIs. This lets your MCP applications act on behalf of users across external SaaS systems like Google, Microsoft, GitHub, and more.

• Developer-ready integration: Explore quickstarts, guides, and sample apps to easily implement Auth for MCP. Auth0 provides ready-to-use examples for securing your MCP server, calling APIs on users’ behalf, and using the Token Vault with JavaScript or Python SDKs.

• MCP Spec Compliance: Works with Auth0’s Resource Parameter Compatibility Profile and token dialect rfc9068_profile_authz, ensuring that access tokens include the permissions claim required for authorization in MCP.

This Early Access release allows developers to unify authorization across MCP clients, servers, and tools, improving governance of agent actions.

Auth for MCP is available today in Early Access. To participate, please submit the Early Access Form and/or contact your Auth0 Technical Account Manager.

For setup instructions, SDKs, and sample applications, and more, visit the Auth for MCP documentation.

We are thrilled to announce a significant expansion of capabilities within the Multiple Custom Domains (MCD) Early Access program for Enterprise customers.

This update delivers powerful branding and white-labeling capabilities with improved flexibility to scale your identity solution from a single Auth0 tenant.

• Search and filter custom domains via Management APIs and Dashboard to simplify administration.
• Pixel-perfect branding using ACUL to associate unique asset bundles directly with individual custom domains.
• Ensure brand consistency by customizing Email and Phone Templates based on the custom domain context.
• Build tailored, conditional logic using the custom domain name and metadata directly within Actions.

Please refer to Auth0 docs for details - Multiple Custom Domains.

These updates are available automatically to the current participants in MCD Early Access program. If you're interested in joining the MCD Early Access program, please send a request through the Auth0 Support Center and contact your Technical Account Manager (TAM) or Auth0 Sales Executive.

Auth0 has added a Dynamic Client Registration (DCR) scope to the Tenant Access Control List (ACL).

This enhancement allows administrators to control access to the /oidc/register endpoint based on a variety of network and client signals, helping prevent unauthorized or automated client creation.

Configuration is available via the Management API.

Learn more about our Tenant Access Control List in our online documentation found here

We are excited to announce that Actions Types is now available at npmjs @auth0/actions.

This NPM library currently facilitates TypeScript definitions for Auth0 Actions.

Developers can use this library for:

• IDE / Code Editor Assistance: By referencing this library, IDEs and code editors can help developers coding with autocompletion, object and functions definitions, and error checking.
• TypeScript Development: This library enables Actions development using TypeScript which then can be built and deployed to Actions as Common JS.
• Unit Testing Improvements: This library allows developers to follow best practices and to improve their Unit Testing based on TypeScript definitions.
• AI Actions Generation: Gives AI assisted IDEs the context they need to generate more accurate and secure Actions code.

Docs: Learn more at Actions NPM Docs and Actions Unit Test Docs.

Auth0 now provides Management API endpoints to manage Bot Detection configuration!

Key Capabilities:

Bot Detection Controls: Automate adjustments to the Bot Detection Level (low, medium, or high) and manage your trusted IP AllowList via API.

Challenge Policies: Programmatically control CAPTCHA enforcement for password, passwordless, and password reset flows (options: always, when risky, or never).

CAPTCHA Management: Fully manage your CAPTCHA provider selection and configuration, including Auth0’s native challenge or third-party solutions.

To learn more about the new Bot Detection API endpoints check out our online documentation here

As part of Continuous Session Protection, you can now attach custom key–value data to a user’s session using Actions or the Auth0 Management API. This allows enterprise customers to persist contextual data (such as device name, organization ID, or custom flags) throughout the session lifecycle.

Session Metadata:

Enables storing and retrieving custom metadata directly within Auth0 sessions

Can be set in Post-Login Actions using api.session.setMetadata(key, value) and accessed through event.session.metadata

Is available via the Management API for reading, updating, or evicting metadata during the session’s lifetime

Can be automatically included in OIDC Back-Channel Logout tokens, enabling downstream systems to receive the same metadata context

This feature expands session extensibility, allowing richer integrations, stronger audit trails, and personalized session behavior across applications.

Availability:

Session Metadata is available to Enterprise tenants in Early Access. To enable this feature, reach out to your Technical Account Manager or open a Support Ticket.

Learn more: Session Metadata Documentation

We’re excited to introduce Google Workspace User Directory Sync, now available as part of our Beta program.

This feature allows organizations to automatically synchronize users from their Google Workspace directory into Auth0 - ensuring user data stays accurate and up to date without relying on login events.

What’s New:

• Automated user synchronization: Automatically sync user profiles from your Google Workspace Enterprise connection into Auth0.
• Flexible sync cadence: Choose between manual on-demand syncs or automatic syncs that run every 30 minutes.
• Custom attribute mapping: Map Google Workspace user attributes to Auth0 user profile fields for full control over data consistency.
• Management API support: Configure, update, retrieve, or delete your Directory Sync settings programmatically - with Postman collection templates included.

Why It Matters: This enhancement eliminates the need for users to log in before their profiles are updated in Auth0, reducing data drift and simplifying identity lifecycle management.

How to Get Started: To join the Beta program and access Google Workspace User Directory Sync, complete the Beta Terms & Conditions form and contact your Auth0 Account Team to request activation and supporting documentation.

Login flows initiated in the context of client applications associated with business users (organization_usage=require) and configured to prompt for the organization at the start of the login flow (organization_require_behavior=pre_login_prompt) will consider an existing authenticated session and allow single sign-on (SSO).

The previous behavior where these flows disregarded SSO is deprecated. We have provided additional information and timelines for enforcing this change across tenants through a dashboard and support center notification.

Auth0's Private Cloud footprint is expanding again, this time to the AWS Asia Pacific Thailand Region!

This launch plants our secure identity infrastructure in the heart of one of Southeast Asia's largest digital economies. Customers in the region can now leverage this new presence for significantly reduced latency and enhanced performance. It also provides a robust, in-country solution for organizations managing their data governance and sovereignty objectives.

We are excited to support the rapid growth of Thailand's booming e-commerce, fintech, and digital service sectors with this new deployment.

We’re excited to announce Organization Discovery by Domain, a new capability that makes enterprise login smarter and more seamless. Together with Prompt for Organizations, it automatically identifies a user’s Organization before authentication, using either their email or organization name — eliminating the need for guessing, manual routing, or dealing with misspellings.

Smarter Login Experience: Users can now enter either their organization name or work email on the Prompt for Organization screen. If the Organization has a verified domain, Auth0 detects the Organization instantly, loads the correct branded login, and routes the user to the right IdP.

Verified Domains: Tenant admins can now associate one or more verified domains with each Organization using the new Domains tab. Verified domains power automatic organization detection and ensure HRD (Home Realm Discovery) runs only against that Organization’s enabled connections.

Unified Enterprise Login Flow: This update enhances the Prompt for Organization experience for both Business and Both (Business + Individual) app types, unifying login flows across personal and enterprise users.

Availability: Rollout is happening now. No opt-in required, it’s ready as soon as it appears in your tenant.

Learn more about Organization Discovery by Domain in our product documentation.

By using Organization Discovery by Domain, you agree to the applicable Free Trial terms in Okta’s Master Subscription Agreement and Okta’s Privacy Policy during use of the Early Access feature. The Free Trial terms can be found within the Master Subscription Agreement at Legal Agreements | Okta.

We've enhanced the Auth0 FGA Write API endpoint to help streamline imports and reduce errors. You can now use two new optional parameters:

on_duplicate: "ignore": This will gracefully skip any write operations for relationship tuples that already exist.

on_missing: "ignore": This will gracefully skip any delete operations for relationship tuples that do not exist.

Previously, these common conditions would cause the entire Write request to fail. These new parameters prevent unnecessary failures, eliminating the need for complex client-side retry logic and improving import performance.

This feature is available now via the API and our latest SDKs.

Learn more about Writing Tuples in FGA from our product documentation or API Reference.

Auth0 now supports Sign in with Shop, a new social login integration designed for Shopify merchants. This feature allows merchants to offer customers a familiar authentication option using their existing Shop accounts. This new integration provides:

• Streamlined Experience: Customers can sign in using their existing Shop credentials, reducing friction and simplifying account access.
• Consistent User Journey: Enables a unified sign-in experience for customers already accustomed to Shopify’s ecosystem.
• Expanded Capabilities: Combines the trusted Shopify experience with Auth0’s advanced identity features — including enhanced security, single sign-on (SSO), customizable branding, and extensibility.

Get started today with our quick start guide to connect your Shopify store to Auth0 and our built-in Sign in with Shop social integration.

To enhance security and mitigate risks of application impersonation and phishing attacks, we are recommending the transition to HTTPS-based callbacks using Android App Links and Apple Universal Links whenever possible. In addition, we are introducing a change in how the service handles custom URI schemes and loopback URI as callbacks.

More specifically, for authentication requests specifying a custom URI scheme or a loopback URI as the callback, we are introducing a login confirmation prompt used in scenarios that would previously return a response without requiring user interaction. For example, in a single sign-on (SSO) scenario, if authentication request requirements can be satisfied from an existing authenticated session, the service will display the new login confirmation prompt instead of seamlessly returning a response to the specified custom URI scheme / loopback URI callback.

Additionally, authentication requests including prompt=none will be rejected when Applications use non-verifiable callback URIs and are configured to use the new login confirmation prompt.

Review the User Confirmation Prompt section of Measures Against Application Impersonation to learn more about the new prompt.

Tenants created before October 15, 2025, maintain the previous behavior as the default until April 28, 2026. After the October cutoff date, newly created tenants may default to displaying the new login confirmation prompt with some exceptions due to each environment's deployment schedule. For any tenant maintaining the previous behavior, we recommend you opt in beforehand to use the new behavior. Alternatively, you can opt out of using the additional confirmation prompt if strictly required. Additional information on this situation is available at Migrate to Custom URI Scheme Redirect End-User Confirmation.

We’ve improved our machine learning (ML) model for signup to deliver stronger protection against automated account creation while keeping friction low for legitimate users.

Note: This update applies only to the signup flow. There are no changes to the ML models used for bot detection in login or password reset flows.

Highlights of this update include

• Expanded detection signals:
  The model now leverages user-agent–based signals, such as operating system and browser version data, to more accurately distinguish between human and automated signup attempts.

• Smarter traffic classification:
  An updated labeling strategy improves how the model differentiates between malicious and legitimate signup activity, helping it adapt more effectively to evolving attack patterns.

• Optimized sensitivity settings:
  Adjusted detection thresholds capture a broader range of bot activity while maintaining a low false positive rate, ensuring a smooth experience for valid users.

What this means for you

These enhancements strengthen the signup protection capabilities of Attack Protection, enabling more effective detection of automated signup attempts without adding unnecessary friction for real users.

The rollout is in progress for all Enterprise customers with the Attack Protection add-on and will complete over the coming weeks in line with individual release schedules.

For configuration guidance or to learn more about protecting your signup flows, please refer to our documentation or contact your account team.

As part of the Early Access launch of Event Streams, there is now an Events Catalog explorer available in Auth0 Docs to better guide you on the details of each Event -- including examples. The Event Streams feature allows you to discover completed changes to Auth0 Users and Organizations as they happen. You can do this by:

• Creating an Event Stream in the Manage Dashboard or the Management API
• Configuring the Event Streams with the desired destination (Webhook or Amazon EventBridge) and selecting the events to receive

View the new Event Catalog Explorer here: https://auth0.com/docs/events/

Learn more about Event Streams here: https://auth0.com/docs/customize/events

FGA Logging API Now Generally Available

The Auth0 FGA Logging API is now Generally Available (GA). This dedicated endpoint provides a comprehensive audit trail for every interaction with the FGA system. You can now programmatically retrieve detailed logs for auditing, debugging, and monitoring.

• Strengthen Audit & Compliance: Retrieve a complete audit trail for all public FGA APIs, including permission changes, access checks, and model updates, to verify who accessed resources and when.
• Accelerate Troubleshooting & Monitoring: Gain granular insight into API operations to debug issues faster and proactively monitor for unusual activity. Use powerful Lucene query syntax to filter logs by user, IP address, status code, and more.
• Centralize Your Logs: Easily export log data to your preferred SIEM, log management, or analytics tools to centralize your security and operational visibility.

The FGA Logging API is available for all paid-tier customers. For more information, please read the Auth0 FGA Logging API documentation.

The first public beta of the Auth0 Nuxt SDK is now available for developers building web apps on the Nuxt framework!

Key Highlights

• Idiomatic Nuxt 3 Experience: Simple, composable functions (useAuth0) that feel native to Nuxt developers, dramatically reducing time-to-first-login.
• Advanced Security Out-of-the-Box: We've included support for the latest security standards from day one, including PAR, RAR, and Backchannel Logout.
• Powerful API Authentication: Seamlessly obtain tokens for backend APIs using the TokenVault integration.

Resources

Here are the helpful resources to explore the new Nuxt SDK and get started:

• Quickstart
• Examples

This SDK is still in Beta and we need your feedback! Please share any feedback, questions or comments on GitHub.

We are excited to announce an improvement that makes it faster and easier for you to keep your firewall configurations up-to-date.

Our IP allow list for Auth0's Public Cloud regions is now available in a standardized, machine-readable format. This new format is designed to help you automate updates and ensure the most accurate configuration for your firewall.

What this means for you:

• Automation: You can now programmatically fetch and parse the list, eliminating the need for manual updates.
• Accuracy: The structured data ensures you're always using the latest and most accurate IP addresses.
• Clarity: The changelogs highlight specific additions and removals, so you can easily see what has been updated.

You can access this information at: https://cdn.auth0.com/ip-ranges.json

For more details, please see our documentation on IP allow list.

When validating JWT assertions used for client application authentication, Auth0 will impose stricter requirements and accept only a tenant's issuer identifier as a single JSON string value in the "aud" (audience) claim.

The possibility of providing an "aud" claim with either one of the approaches listed below is deprecated, and at a future date will cause the service to consider such JWT assertions invalid:

• A JSON array of strings, provided that one of the entries contains a valid issuer identifier or endpoint URL for the respective tenant and endpoint the client authenticates against.
• A single JSON string representing a valid endpoint URL for the respective tenant and endpoint the client authenticates against.

OIDC enterprise connections configured to use Private Key JWT in authenticated requests to the upstream identity provider will also be able to use the applicable issuer identifier represented as a JSON string in the "aud" claim included in JWT assertions.

We have provided additional information and timelines for enforcing this change across tenants through a dashboard and support center notification.

We’re excited to announce the Early Access release of Akamai Supplemental Signals. This feature allows Auth0 Enterprise customers who have Akamai configured as a reverse proxy in front of Auth0 to forward signals from Akamai Bot Manager and Akamai Account Protector into Auth0.

With this integration, you can enrich your authentication flows with supplemental signals from Akamai and make more dynamic security decisions in post-login Actions and gain visibility through tenant logs.

Key Benefits

• Combined Risk Context: Leverage Akamai’s bot and user risk signals together with Auth0’s risk assessment for a more complete view of login risk.

• Adaptive Security Controls: Combine Akamai and Auth0 risk signals to trigger MFA, deny sessions, or revoke access based on risk indicators.

• Seamless Integration: Configure Akamai to forward signals and use them immediately in post-login Actions and tenant logs.

Availability

• Available to all Enterprise customers using Akamai as a reverse proxy in front of Auth0.

• Currently in Early Access.

Learn More

• Configure Akamai as a Reverse Proxy
• Configure Akamai to Send Supplemental Signals
• Use Akamai Supplemental Signals in Actions

We’re thrilled to introduce the Limited Early Access release of Additional Signing Algorithm for Okta and OIDC enterprise connections! This release expands flexibility for both Private Key JWT client authentication and ID token verification by adding support for stronger signing algorithms beyond RS256, including:

• RS512
• PS256
• ES256

For Private Key JWT, Auth0 now lets you choose which algorithm is used to sign client assertion JWTs when authenticating requests to an upstream IdP. For ID token verification, Auth0 can validate tokens signed with a wider set of algorithms, ensuring compatibility across OIDC flows. Together, these enhancements give customers more control over cryptographic choices, making it easier to align with security policies and adapt as standards evolve

This release is currently rolling out to all environments. To enable the Additional Signing Algorithms Limited Early Access release in your Auth0 tenant once available in your environment, please contact your Technical Account Manager to request access.

You can now use Organizations with your native passkey flows! User sign-in and registration flows can now pass the organization to complete sign up in the organization context. Like Universal Login flows, auto-enrollment into an organization during sign-in is also supported.

Organizations Support for Native Passkeys is in Limited EA - reach out to your Auth0 contact to get started today.

To get started with Passkey APIs and use them with Organizations, please see our documentation or read our blog for getting started with native applications.

We’re very excited to announce the availability of Native Passkey Management, extending the management of authentication methods using APIs. Customers can now delete passkeys using APIs and list all enrolled authentication methods for a user.

Customers can build end-to-end management of the passkeys directly into their native applications.

Native Passkey Management is in Limited EA - reach out to your Auth0 contact to get started today.

To get started with MyAccount please read our documentation

As part of the Continuous Session Protection, you can now configure ephemeral (non-persistent) sessions using Actions. This allows enterprise customers to dynamically control whether a session is stored in a persistent cookie or only in memory.

Ephemeral sessions:

• Exist only in memory and are cleared when the browser or app is closed
• Are ideal for high-sensitivity workflows such as step-up authentication or use on public devices
• Can be configured per session using api.session.setCookieMode("non-persistent") in post-login Actions

This feature is available to all Enterprise tenants in Public Early Access and requires no enrolment.

Learn more: https://auth0.com/docs/manage-users/sessions/sessions-with-actions#set-session-persistence-with-actions and https://auth0.com/docs/manage-users/sessions/session-lifecycle

Use Ephemeral Sessions with Actions to configure Keep Me Sign In

We are excited to announce the release of the Auth0 React Native SDK v5, a foundational rewrite designed to provide a best-in-class developer experience for one of the world's most popular mobile frameworks. This major update delivers a simpler, more powerful way to integrate secure authentication into your React Native applications while ensuring compatibility with the latest evolution of the ecosystem.

Highlights:

• Stay on the Cutting Edge of React Native: Deploy with confidence knowing your authentication layer is ready for the future. The SDK is fully compatible with React 19 and Expo 53, and now includes Beta support for React Native's New Architecture (Turbo Modules). This allows you to leverage the latest performance and UI capabilities of the ecosystem without compromising on security.
• Accelerate Development with a Better DX: We've refactored the entire SDK from the ground up to create a more intuitive and efficient developer experience. With a simpler API surface, unified cross-platform error handling, and an Android layer rewritten in modern Kotlin, you can integrate Auth0 faster and spend less time debugging.
• Build for More Platforms with react-native-web: The new, robust architecture enables first-class support for react-native-web. Now you can share more of your authentication logic between your native mobile and web applications, streamlining development and ensuring a consistent user experience everywhere.

Get Started Today. The Auth0 React Native SDK v5 is now generally available.

As a major version release, v5 includes breaking changes aimed at improving the long-term health and usability of the SDK. To upgrade, please consult our comprehensive Migration Guide to v5.

For a full list of new features, improvements, and breaking changes, view the complete release notes on GitHub.

We're excited to announce that Cross App Access (XAA) for Resource Applications is now in Beta.

Connecting AI Agents and Third Party Apps in an enterprise introduces two key challenges: poor IT visibility into data sharing and repetitive user consent flows. Cross App Access (XAA) solves this by enabling IT teams to centralize control over these connections, eliminating constant user consent prompts and providing better governance and visibility into data sharing.

This new feature provides built-in support for SaaS providers to get their APIs ready for secure connection by AI Agents and other SaaS Apps in enterprise environments. No code changes needed, simply configure the feature in your Auth0 tenant to instantly support central policy enforcement and a seamless user experience.

This Beta release is for testing purposes only.

To learn more, read our documentation.

We’re excited to share that we've expanded the Self-Service SSO experience with User Provisioning (SCIM). Now your customers’ IT teams can manage user onboarding and offboarding directly, reducing manual work for you. This feature is currently in Early Access.

Smarter Provisioning: Your customers can now configure SCIM directly in the Self-Service SSO wizard, streamlining setup and reducing time-to-value.

Unified User Data: This release introduces User Attribute Profiles (UAP), a standardized way to map, normalize, and sync user attributes across identity protocols (SAML, OIDC, SCIM) and Auth0’s Self-Service SSO feature. This ensures consistent data handling across integrations and simplifies ongoing maintenance. Furthermore, when using UAP with the Self-Service Profile and Self-Service SSO, those mappings are now used to populate the Enterprise Connection Mapping object in Auth0.

Key Benefits

• Automation: Delegate SCIM setup to your customers’ admins
• Interoperability: Works seamlessly across varied IdPs
• Consistency: One schema for easier debugging and support
• Flexibility: Override mappings per protocol when needed

Rollout is happening now. No opt-in required, it’s ready as soon as it appears in your tenant.

Learn more about Self-Service and User Attribute Profile in our product documentation.

By using Self-Service User Provisioning, you agree to the applicable Free Trial terms in Okta’s Master Subscription Agreement and Okta’s Privacy Policy during use of the Early Access feature. The Free Trial terms can be found within the Master Subscription Agreement at Legal Agreements | Okta.

A new and improved Auth0 Support Center is now live. The new Auth0 Support Center is re-designed to help you find answers faster and adopt features more confidently.

Here’s what’s new:

• Summarized solutions, fast: A single AI-powered search scans thousands of support resources, and learning content, and delivers a single answer tailored for you.
• Unblock faster, stay ahead: The new Knowledge Base provides real-world how-tos and fixes. The Product Hub keeps you up to speed on what’s coming next.
• Level up your skills: The Auth0 Learning Hub offers self-paced, tailored learning paths and plans to help you build skills and feature mastery.

Ready to try it out? Head to the Auth0 Support Center and explore for yourself. A great place to begin: search for a product or feature you’re working on and see how the new search delivers fast, tailored answers.

Want to learn more? Check out the YouTube video and Knowledge Base article.

We're excited ✨ to announce a significant enhancement to Auth0 Teams that simplifies and accelerates the onboarding process for your team members. This new feature, Pre-tenant Assign in Team Invitations reduces the steps required to get your team members productive faster.

The Challenge We Solved ⁉️:

Previously, inviting a new team member and granting them tenant access was a multi-step process: invite, acceptance, then manual tenant assignment.

What's New 🎉:

You can now combine these steps into a single action. When inviting a new team member, an optional step in the invitation modal allows you to pre-select the tenants and associated roles the invitee should automatically access upon accepting the invitation.

Key Benefits for Your Team ✅:

• One-Step Onboarding: Reduce administrative overhead by combining invitation and tenant access assignment into one efficient workflow.
• Immediate Access: Invitees gain immediate access to pre-assigned tenants upon accepting the invitation, eliminating waiting periods.
• Improved Audibility: Team Activity logs now record "Invitation accepted" events for better visibility along with tenant member event detail logs.

This feature empowers Team Owners to onboard administrators and contributors effortlessly, ensuring they have the right access from day one.

Availability 🍾: Available in Early Access to Enterprise Customers, with General Availability coming soon.

"Do not have Teams enabled as yet? Click here to learn on how to enable Auth0 Teams"

We are excited to share that Bulk User Import / Export is now available for everyone directly in the Auth0 Management Dashboard!

What’s New:

• Streamlined experience: submit import / export jobs directly in the Dashboard UI - no Extension management required
• Expanded RBAC support: now available to tenant members with Editor - Users Role in addition to Admin
• Bulk update existing users: upserting pre-existing users in a connection is now available for manual import jobs
• Export as a sample: quickly validate export file structure and field naming by exporting a sample file of 10 users

Deprecation Notice The Bulk Import / Export Extension will reach end of life in October 2025. We recommend switching to the new Dashboard experience as soon as possible.

For more information on the new Import/Export UI, please refer to Bulk User Import / Export in the Auth0 docs.

We’re excited to announce the General Availability of Tenant Access Control List (ACL), a security feature that helps you control who can access your tenant.

With Tenant ACL, you can create custom lists to allow, block, or redirect requests based on predefined signals – strengthening security and optimizing performance.

Key Benefits

• Reduce Attack Surface: Block malicious traffic before it reaches your tenant
• Enhance Security: Enforce access policies based on IPs, geolocation, user agents, ASN, and more
• Optimize Performance: Redirect traffic to improve user experience

What’s New in GA

• Enterprise customers: Create one Tenant ACL list
• Attack Protection add-on customers: Create up to 10 Tenant ACL lists
• Dashboard support: View, enable, and disable ACL lists directly from the Auth0 Dashboard

Learn More

• Tenant ACL Documentation
• Network ACL Management API

We're excited to announce that API Access Policies for Applications is now in Early Access for all Auth0 customers and is fully supported for production use.

This feature enables you to control how applications access your APIs registered in Auth0. You can configure separate application API access policies for user access and client (machine-to-machine) flows, giving you declarative, granular and easy-to-reason control over which applications can obtain an access token for a specific API. For instance, with the require_client_grant policy, you can ensure that only explicitly authorized applications can get tokens, even during user flows. This strengthens your security posture by preventing unauthorized applications from accessing sensitive API resources on behalf of a user.

To learn more, check out the documentation.

One of the most requested features for the Auth0 Deploy CLI is here: you can now preview your deployment changes before applying them.

Say goodbye to deployment anxiety. With the new --dry-run flag, you can get a detailed summary of exactly what resources will be created, updated, or deleted before you run an import. This brings the confidence of infrastructure-as-code practices like terraform plan to your Auth0 tenant management.

Get started by simply adding the --dry-run flag to your import command to see a safe preview of your changes.

This will help you and your team:

• Deploy with Confidence: Eliminate uncertainty by verifying the exact impact of your changes.
• Prevent Unintended Changes: Catch potential issues and avoid accidental modifications to critical production resources.
• Improve Collaboration: Share the dry-run output with team members for review and approval before deployment.

The Dry Run feature is now available in Early Access. Update to the latest version of the Deploy CLI to get started.

Learn More

What's new:
Non-Unique Emails is now in Open Early Access and rolling out to all environments. With this feature, multiple user accounts can share the same email address within a database connection. This enables support for real-world scenarios like:

• Parent/child accounts using a shared inbox

• Small businesses with a single location email

• Users managing multiple roles under one email address

Key details:

• Rollout has just begun and will take 1--4 weeks to reach every environment.

• Available only for new database connections.

• Email cannot be used as a primary identifier, customers must configure username or phone number.

• Email communications will still be delivered to the shared email.

• Once enabled, the non-unique email setting is permanent.

Status:

• This feature is production-ready.

• No opt-in required, all customers will gain access once rollout reaches their environment.

• GA planned for Q4 2025.

Getting started:
Customers can create a new database connection with Non-Unique Emails in the Dashboard or via the Management API. See full documentation here:
Non-Unique Emails Documentation

We are excited to announce a major update for our Private Cloud customers, extending the powerful management and security capabilities of Auth0 Teams to your private cloud environments. This release introduces the Beta versions of Tenant Member Management and SSO Enforcement, closing the feature gap with our Public Cloud offering.

✨ New Features

Tenant Member Management (Beta) for Private Cloud:

You can now centrally manage tenant membership and roles for your team members directly from the Auth0 Teams dashboard. This feature simplifies user administration by allowing you to:

• View and manage all tenant access from a single interface.
• Efficiently onboard and off-board users across multiple tenants.
• Perform bulk operations to grant or revoke access.

SSO Enforcement (Beta) for Private Cloud:

Strengthen your organization's security posture by requiring all team and tenant members to authenticate using one of your configured Enterprise Identity Provider (IdP) connections. This ensures that access to Auth0 resources is governed by your corporate identity solution.

Activity Log Integration for Tenant Management:

All operations related to Tenant Member Management (e.g., adding, updating or deleting) are now recorded in the Auth0 Teams Activity Log, providing a complete audit trail for compliance and security monitoring. (Note Now available to all Auth0 Teams customers.)

Session Revocation for Private Cloud:

Administrators now have the ability to revoke active user sessions for Private Cloud tenants, providing an immediate way to off-board users or respond to security events.

📈 Improvements

Streamlined Private Cloud User Invites:

Team members can now be invited directly to a Private Cloud tenant through the Teams interface. This removes the previous requirement of first adding the user to the configuration tenant, simplifying and accelerating the onboarding workflow.

Increased Bulk Tenant:

The limit for bulk tenant assignment has been doubled, allowing you to grant or modify access to 10 tenants at once, up from the previous limit of 5.

Beta Program Information

Tenant Member Management and SSO Enforcement features for Private Cloud are being released in Beta.

We are delighted to announce that support for sender constraining tokens using Demonstrating Proof of Possession (DPoP) is now available in Early Access.

Demonstrating Proof of Possession (DPoP) as defined in RFC9449, is an application level mechanism for binding tokens issued by Auth0 to the client application that requested that token. This is implemented using asymmetric key cryptography and with keys that are generated and managed by the client application - no public key infrastructure (PKI) is required.

Sender constraining tokens using DPoP can be used to mitigate the risk of tokens being used by unauthorised parties if they are intercepted in transit or exfiltrated from applications. This helps to:

• enhance security by mitigating against token theft and misuse by unauthorised parties
• improve user experience by being able to use longer-lived access tokens without significantly increasing security risk i.e. not requiring frequent user authentication

Auth0 will be rolling out SDK support for DPoP for native applications, single page applications, backend server APIs, and Auth0 management:

• SDKs for iOS Swift and Android Kotlin are available now.
• SDKs for Javascript, React, Python and more are coming soon.

To evaluate DPoP for securing your tokens, contact your Auth0 representative. For more details, check out our product documentation.

We have expanded our security telemetry to include JA3 and JA4 TLS fingerprints. TLS fingerprinting is a proven technique for identifying client software based on the TLS handshake.

• JA3 is a fingerprinting method that identifies TLS clients based on their connection parameters.
• JA4 refines TLS fingerprinting to make client identification more stable and resilient to small variations.

These signals help customers detect and respond to malicious traffic faster, identify suspicious client behavior, and correlate related activity across changing IPs and sessions.

What’s New

Tenant Logs
JA3 and JA4 fingerprints are now logged in applicable authentication and security events such as Success Login, Failed Login, and Anomaly Detection.

Actions Integration
JA3 and JA4 fingerprints are now available in Actions for real-time, custom security responses, but only in the following triggers:

• pre-user-registration
• post-user-registration
• post-login

Tenant Access Control List (ACL) Support
You can also use the Tenant Access Control List to block specific TLS fingerprints directly by adding a rule. Alternatively, you can combine JA3 and JA4 signals with Actions to apply custom business logic, such as requiring MFA or conditionally denying access.

Why It Matters

JA3 and JA4 provide a stable, high-entropy signal that is hard to spoof, helping you correlate malicious activity even across changing IPs and sessions.

Availability

Available for all Enterprise customers. Start using these signals today.

We are excited to announce that Actions Transaction Metadata is now available in Early Access.

This feature allows you to set, share, and access, custom data between Actions run in the same post-login execution.

Early Access functionality includes:

• Accessing Transaction Metadata: A new event.transaction.metadata object within post-login Actions that contains the custom key/value pairs, which can be accessed through key.
• Setting Transaction Metadata: A new api.transaction.setMetadata function within post-login Actions that serves as interface to set the custom key/value pairs.
• Immediate Access: Values are available immediately after being set in the calling Action and subsequent Actions.
• Values Types: Values can be boolean, number, string, or string serialization of object and array.
• Docs:
  • New docs section at: https://auth0.com/docs/customize/actions/transaction-metadata
  • Updated guidelines at: https://auth0.com/docs/customize/actions/action-coding-guidelines#actions-basics

Starting on September 11, 2025, we will be deprecating and removing the legacy, undocumented Management API Swagger Specification.

What is changing?

On September 11 2025, the endpoint path /api/v2/api-docs/ will be removed. After this date, any requests made to this path will result in a 404 Not Found error.

Why are we making this change?

Please note that this endpoint and the Swagger specification it provides were never officially documented or intended for public use. The current Swagger specification available at this endpoint is unmaintained, undocumented, and does not reflect the full capabilities of our Management API. As part of our commitment to providing robust and reliable tools, we are removing this legacy specification to prevent confusion and potential issues.

We strongly encourage all users to migrate to our officially supported OpenAPI 3.1 Specification for the Management API, which is currently in Beta. This new specification is actively maintained and provides a more accurate and comprehensive development experience.

What do you need to do?

If any of your processes are calling the /api/v2/api-docs/ endpoints, take the following steps before September 11, 2025 to ensure your applications and services continue to function without interruption:

1. Identify any systems, scripts, or CI/CD processes that access https://[your-tenant.yourdomain.com]/api/v2/api-docs/.
2. Update these systems to use our new, officially supported OpenAPI 3.1 specification. It can be accessed here: https://auth0.com/docs/api/management/v2
3. Ensure your applications are resilient to a 404 Not Found response from the old endpoint path.

If the above does not address your needs or you have additional questions, contact us using the Auth0 by Okta Support Center or Auth0 by Okta Community.

We’re excited to announce that Multi-Resource Refresh Tokens (MRRT) is now in Early Access for all customers.

This feature allows applications to use a single refresh token to request access tokens for multiple resource servers (APIs), each with its own audience and scopes. MRRT simplifies token lifecycle management, enhances developer experience, and improves session continuity across distributed API architectures.

What’s New?

• Support for defining audience-specific refresh token policies per client
• Use one refresh token to request tokens for multiple APIs — no re-authentication required
• Compatible with rotating and expiring refresh tokens
• First-party applications only
• Management API support available today
• iOS and Android SDKs support
• Auth0 Deploy CLI and Terraform Support

Learn more

We're introducing a new feature that gives your end-users the flexibility to choose how they log in. Using Universal Login Custom Prompts, you can now add custom buttons to your login pages. This empowers your users to easily switch between a traditional database (password-based) connection and a passwordless (OTP-based) connection.

This update allows you to create a seamless experience where users can select their preferred authentication method directly from the login challenge screen.

For full details on this new feature, check out our documentation. To learn more about how to use custom prompts, see the custom prompts documentation.

We’re excited to announce the Early Access of Native to Web SSO is now available for all enterprise customers.

With this release, developers can:

• Implement SSO from native iOS or Android apps to browser-based web apps.
• Securely issue and consume Session Transfer Tokens.
• Leverage device binding enforcement (IP or ASN) for additional security.
• Access Session Transfer Token support in Auth0 Actions.
• Use the feature across the Auth0 CLI SDK, Terraform Provider, Deploy CLI, and native mobile SDKs (iOS and Android).
• Integrate with WS-FED and SAML clients, and invoke Post Login Actions during token consumption.

📘 To get started:

Read our documentation Read the Quickstart

What changed: When the user's email is available, Auth0 will now send an email notification for brute‑force blocks in all identifier scenarios (e.g., phone, username), supplementing existing delivery rules.

Why it matters: Ensures users receive blocking notifications consistently even when logging in via phone or username, improving visibility and response.

To learn more about Brute Force Protection read on online documentation here

We’ve improved our bot detection model to strike a better balance between security and user experience, with specific gains for tenants whose users frequently access resources via VPN.

Highlights of this update include:

• Reduced false positives for VPN users: The model now more effectively distinguishes between legitimate users and bots, even when traffic originates from shared IPs or anonymized networks.

• Improved user experience without compromising security: These updates are designed to reduce unnecessary friction for valid users while maintaining strong defenses against automated threats.

This enhanced security capability is now available to all Enterprise customers with the Attack Protection add-on. The rollout is currently underway and will be completed over the coming weeks in alignment with individual customer release schedules.

For activation details or to learn more about protecting your applications, please refer to our documentation or contact your account team. We're committed to helping you stay secure in an evolving threat landscape.

Introducing a new capability for log streaming: PII Masking.

This feature allows customers to obfuscate (hash or mask) sensitive personal identifiable information (e.g., email address, phone number, username, etc.) within their log streams. This enhancement improves security and compliance for customers who stream their logs to data lakes or third-party tools.

Key Features:

• Customizable PII Masking: Customers can select specific PII data to be masked in their log streams.
• Enhanced Security and Compliance: This capability helps customers meet stricter compliance requirements by providing greater control over sensitive data in their logs.
• Broad Applicability: PII masking will be available for both new and existing log streams.

This update aligns with Auth0's commitment to improving customer data security and providing more customization in log stream outputs

For more information - Log Streams

Auth0 is delighted to introduce Mexico as the latest AWS region for Private Cloud deployments.

This new region establishes our first Private Cloud presence in Mexico, directly addressing the needs of one of Latin America's largest and most dynamic digital economies. The addition of the Mexico region provides lower latency for customers throughout the country and helps meet local data residency and compliance requirements.

We remain committed to expanding our global footprint to serve our customers wherever they are in the world.

We’ve added support for Cascade Revocation in Native to Web SSO.

With this new capability, revoking the original refresh token used in a Native to Web flow will now automatically revoke all dependent web sessions and their issued refresh tokens.

This helps prevent stale or orphaned sessions and ensures that once the root token is no longer valid, all downstream access is properly revoked.

What’s new:

• enable_cascade_revocation
  When enabled, revoking a native app’s refresh token also revokes all web sessions and refresh tokens created via session_transfer_token.

• enable_online_refresh_tokens
  When enabled, refresh tokens issued during a Native to Web SSO flow are tied to the lifetime of their associated session (i.e., online tokens).

Default behavior:

Both of these settings are enabled by default, even when not explicitly configured.

This means:

• All clients using Native to Web SSO today already benefit from cascade revocation.
• Web-issued refresh tokens will automatically expire when their sessions expire.

You can manage or override these settings using the Auth0 Management API.

Why it matters:

This update provides stronger guarantees around token lifecycle and session integrity across platforms:

• Prevents misuse of refresh tokens after logout or revocation
• Reduces risk from long-lived sessions in embedded web views
• Helps developers maintain a tighter, more secure cross-platform SSO experience

Learn more in our Native to Web SSO documentation

We are excited to introduce expanded passkey support for custom database connections! Now available without enabling import mode.

What’s New:

• You can now enable passkey-based authentication for custom database connections without importing or trickle-migrating users into Auth0 (i.e., with import mode turned off).
• End users can easily enroll in passkeys after their first successful login, requiring no prior passkey credentials in your external identity store.
• Passkey credentials are securely stored in Auth0, while your external identity store continues to handle all other authentication logic.

This enhancement unlocks frictionless, passkey-based login experiences for enterprises that manage user credentials outside of Auth0 - without requiring user migration or changes to existing identity architecture.

To enable the Limited Early Access release in your Auth0 tenant, contact your Technical Account Manager to request access.

My Account API Explorer is now available! Navigate to: https://auth0.com/docs/api/myaccount to try it out and help navigate & build with the new My Account API (which is in Limited Early Availability).

Using My Account, customers can build self-service management experiences at scale, powered directly from their applications.

To learn more and request access to the My Account API feature, contact your Auth0 account manager.

We're thrilled to announce Multiple Custom Domains (MCD) support on a single Auth0 tenant bringing you simpler, more flexible branding and white-labeling. This powerful capability allows you to:

• Deliver tailored, branded experiences for your users, including customized login URLs and emails.
• Enhance security through consistent use of custom domains across end-user interactions.
• Scale B2B SaaS usage rapidly through MCD on a single tenant.

This feature is available to our Enterprise customers.

With Early Access, you'll gain robust capabilities across our Management APIs, Manage Dashboard, and our developer tools (SDKs, Terraform provider, and CLI) for MCD management. You'll find new ways to customize Email templates based on custom domain information. The solution scales effortlessly to meet rapid growth and demanding needs.

Please refer to Auth0 docs for details - Multiple Custom Domains.

Interested in participating in the Early Access program? Please send a request through the Auth0 Support Center.

We are excited to announce the next Early Access release of Advanced Customizations for Universal Login! This release adds a couple of highly requested enhancements as well as support for building custom versions of Universal Login’s Consent screens using the new ACUL SDK.

Advanced Customizations for Universal Login enables you to build custom, client-rendered interfaces for Universal Login screens, allowing you to control every pixel of your Universal Login experience.

This release includes:

• A new Filters screen configuration object that allows you to set constraints around when the custom UI should be used based on the client and organization information.
• A new screen configuration parameter that allows you to use your custom page template with ACUL
• Support for building custom versions of the Consent screens
  • Consent
  • Customized Consent (used with HRI)
• A shiny new Dashboard UI for configuring ACUL screens

DX Updates

The latest versions of the ACUL SDK and Auth0’s CDT tooling include support for the new Filters and page template configurations as well as configuring the consent screens.

• Typescript SDK
• Auth0 CLI
• Deploy CLI
• Terraform Provider Auth0

We are very close to supporting for everything that Universal Login currently supports out of the box. Checkout our online documentation to learn more about ACUL and stay tuned to the Auth0 Changelog for updates and announcements!

Today, we're excited to announce the Early Access release of Right-to-Left (RTL) Language Support for Universal Login—with support for the Guardian Mobile Apps (iOS & Android) coming later this month.

This update expands Auth0’s global accessibility by enabling seamless support for RTL languages, including Arabic, Persian (Farsi), Hebrew, and Urdu—helping you deliver more inclusive, intuitive login experiences in regions where these languages are the norm. Supporting RTL languages means you can reach new markets, localize experiences with greater precision, and improve accessibility for the nearly 1 billion people who rely on RTL scripts.

Early Access includes managing RTL languages in the Admin Dashboard and API as well as previewing and editing prompt translations. Guardian support (coming later this month) will bring RTL layout rendering to identity verification and MFA workflows.

This release marks a major step forward for Universal Login. As Auth0 continues to pursue our vision of a world where anyone can safely use any technology, powered by their Identity, we are proud to partner with our customers around the world in delivering secure, inclusive, and accessible authentication experiences.

Contact your Auth0 account manager or Auth0 Support to enable Early Access on your tenant.

We are deprecating the ability to create more than one action per tenant for actions supporting custom phone or email providers and introducing a maximum limit of one action in the respective triggers:

• custom-phone-provider
• custom-email-provider

This limitation applies to the Management API create an action endpoint (POST - /api/v2/actions/actions) and can impact integrations performing direct API calls and tools like the Auth0 Deploy CLI, the Auth0 Terraform Provider, or the Auth0 CLI.

We have provided additional information and timelines for enforcing this change across tenants through a dashboard and support center notification.

We’ve upgraded our bot detection model to improve accuracy and reduce friction for legitimate users, particularly on mobile devices and evolving browser platforms.

Highlights of this update include:

• Improved interpretation of user-agent signals: The model now better handles previously unseen browser and OS versions, improving accuracy in distinguishing between legitimate users and malicious traffic.

• Reduced friction for mobile users: We've updated the model to more accurately recognize native mobile app traffic, resulting in fewer unnecessary CAPTCHA challenges for real users.

• Improved user experience without compromising security: These changes are designed to reduce false positives while maintaining robust bot detection coverage.

This enhanced security feature is available now to all Enterprise customers with the Attack Protection add-on. The rollout is currently underway and will be completed in the coming weeks, aligned with individual customer release schedules.

For activation details or to learn more about safeguarding your systems, please refer to our documentation or reach out to your account team. We are committed to supporting you in protecting your digital presence against evolving threats.

We’re excited to announce that the Okta AI-powered chatbot (Guide) Early Access offering has been enhanced with an additional data source - Security Center Metric Data. This additional capability is available only to Enterprise customers and can answer questions such as “do I have more sign up attacks this week compared to last week?”.

Availability

Guide is available to tenants in the US Public Cloud region. Within that group, Security Center Metric Data is available only for Enterprise customers. Guide will be rolled out to all Public Cloud regions in the near future.

We’re excited to announce the Early Access release of Private Key JWT Client Authentication for OIDC and Okta Enterprise Connections! Auth0 customers can now leverage a more secure and standards-based method of client authentication for their enterprise identity providers.

Until now, federated connections relied on long-lived client secrets for back-channel authentication. This feature enables signing with asymmetric keys on Okta and OIDC connections, reducing the risk of credential leakage and enabling secure key management and rotation.

While Auth0 already supports Private Key JWT when acting as the Identity Provider, this release extends that security posture to outbound enterprise connections, allowing Auth0 to securely authenticate to upstream IdPs using signed JWTs instead of shared secrets.

For complete setup instructions and more, refer to our documentation.

By using Private Key JWT Client Authentication on your OIDC and Okta Enterprise Connections, you agree to the applicable Free Trial terms in Okta’s Master Subscription Agreement and Okta’s Privacy Policy during use of the Early Access feature. The Free Trial terms can be found within the Master Subscription Agreement.

We’re excited to announce that Multi-Resource Refresh Tokens (MRRT) is now in Early Access for Enterprise customers.

This feature allows applications to use a single refresh token to request access tokens for multiple resource servers (APIs), each with its own audience and scopes. MRRT simplifies token lifecycle management, enhances developer experience, and improves session continuity across distributed API architectures.

What’s New?

• Support for defining audience-specific refresh token policies per client
• Use one refresh token to request tokens for multiple APIs — no re-authentication required
• Compatible with rotating and expiring refresh tokens
• First-party applications only
• Management API support available today
• iOS and Android SDKs support
• Auth0 Deploy CLI and Terraform Support

Learn more

What is changing?

We are deprecating the Real-time Webtask Logs extension with a planned end-of-life after (EOL) September 16, 2025.

As a replacement, we have published the Actions Real-time Logs feature integrated within the Auth0 Dashboard. The extension will cease to be available for new installations, but tenants with the extension already installed will maintain access until the planned EOL.

Why are we making this change?

The transition to the dashboard will improve the security posture and maintainability of the functionality, while simplifying future enhancements.

How are you affected?

For active users of the Real-time Webtask Logs extension, its scheduled removal will affect you, as the transition from extension to a direct dashboard capability inherently implies some user experience differences.

What action do you need to take?

You can start using the Actions Real-time Logs feature by navigating to Auth0 Dashboard > Monitoring > Actions Logs.

We recommend that extension users familiarize themselves with the new user interface to avoid disruption once the extension becomes unavailable.

We’ve added a new language option-Canadian French-to help our users in Canada and beyond build secure identity solutions more easily. If your language preference is set to Canadian French in your browser settings, Auth0 will detect this and automatically serve the Dashboard and Documentation in Canadian French. You can manually override this setting in the Auth0 Dashboard and Docs via the language switcher in the top-right corner.

What is changing?

The service will restrict access to additional property names within the event.request.query and event.request.body objects when executing actions for the post-login and credentials-exchange triggers. Tenants identified as using actions that may reference request properties planned for restriction will maintain access until September 16, 2025.

The service will restrict the following property names in the request-related objects:

• auth_session
• authn_response
• client_secret
• client_assertion
• refresh_token

Previously, the implementation of an action could access the properties listed above in event.request.query and event.request.body to retrieve the value included in the corresponding network request. Once the planned restrictions become effective for a given tenant, all properties above will be undefined independently of the network request content.

The rollout of these additional restrictions is in progress for tenants where historical data did not show any actions using these property names. Tenants identified as potentially impacted by these restrictions will maintain existing behavior until the previously mentioned date.

Why are we making this change?

By restricting access to these properties, we aim to prevent potential mishandling of sensitive data within the custom code implemented for post-login and credentials-exchange actions. For example, we reduce the risk of unintentionally logging sensitive data in log operations that may output the whole request object.

How are you affected?

If any of your tenant's current actions no longer include any reference to one of the restricted property names or that despite having references to one of the names, it is not in the context of property access to event.request.query and event.request.body objects, then these changes should not impact your tenant.

If there are actual references to restricted request properties, the restriction of these properties may impact the action's logic. After the changes become effective, accessing those request properties will always return undefined. Without revising the actions' implementation, the respective authentication flows risk partial degradation or complete failure.

What action do you need to take?

If your tenants currently have actions referencing one of the restricted properties of the event.request.query and event.request.body objects in their implementation. For applicable actions, you must update their implementation to stop relying on the restricted properties of the request objects.

The exact implementation changes you may need to perform will depend on your overall implementation of the actions and each restricted request property's usage scenario.

For example, for scenarios related to reusing secret information previously available from the request, the support for secret management (event.secrets) as part of actions may provide a potential alternative. If the requests include restricted property names, but the information sent within them is not considered sensitive, you may consider using a different parameter name in the request, or ideally, consider using custom parameters as part of pushed authorization requests to avoid disclosing/interception of the data by end-users in browser-based flows. If the data is static per client or connection, consider storing it as part of client or connection metadata.

Auth0 is excited to announce the General Availability of Private Cloud Restoration resilience enhancement. This capability would come handy in the event of customer data loss or data corruption, and would assist customers in meeting regulatory requirements such as European Union’s Digital Operational Resilience Act (DORA).

This capability allows customers to request full restoration of their production Private Cloud environment from an Auth0 backup in the last 14 days. It also includes the option for one restoration test per year on a non-production Private Cloud environment. Please refer to Operational policies documentation for more.

You can now customize the Brute-Force Protection unblock page using Universal Login. This update allows for a fully branded experience when users are locked out due to repeated failed login attempts.

What’s New?

• Branded unblock experience via Universal Login - The brute-force protection unblock page is now part of Universal Login, giving you full control over its appearance and content. This ensures a seamless, branded experience throughout the recovery flow.

• Improved compatibility with email security scanners - Account unblock now occurs when the unblock page loads rather than on clicking the unblock link. This helps prevent issues caused by email security scanners that pre-process links.

To enable these new features

Navigate to Settings > Advanced tab In the Migrations section, near the bottom of the page, disable the existing functionality with the toggle shown below

The existing Brute-Force Protection unblock page and behavior will remain available for now. However, it is planned for deprecation within the next 6 months, giving you ample time to transition to the new and improved experience at your convenience.

For more information about our Brute-Force Protection feature, see our online documentation here

Starting October 27, 2025, the offset-based pagination available for the Management API get all connections endpoint will no longer support retrieving a paginated result beyond the first 1000 connections.

Use checkpoint-based pagination to iterate beyond 1000 connections. Additional information about this upcoming change is available in a dashboard and support center notification.

We’re very excited to announce the Limited Early Availability of Native Passkey Enrollment, the first capability on our new self-service API, My Account.

Using My Account, customers can build self-service management experiences at scale, powered directly from their applications.

Native Passkey Enrollme