We’re pleased to announce that support for Groups within Auth0’s Inbound SCIM for Enterprise Connections capability is now Generally Available (GA)!

This release closes the loop between identity provisioning and access control by allowing you to natively map synced groups to Auth0 roles at two levels: globally at the tenant level, or scoped specifically to an organization based on the user’s login context.

Additionally, developers can now accelerate B2B onboarding by empowering their enterprise customers to self-configure SCIM provisioning for groups directly.

What’s new in GA:

Building on our Early Access capabilities, this release introduces the following enhancements to deliver out-of-the-box B2B delegated administration:

• Associate tenant-level RBAC roles with Enterprise Groups: For global access, you can assign Auth0 tenant-level roles directly to SCIM-provisioned groups. Any member of the synced group will automatically inherit these roles globally.
• Assign Organization scoped roles to Enterprise Groups: You can now assign organization scoped roles to SCIM-provisioned groups. In tandem with Auto-Membership, your customers' users will automatically inherit workspace-scoped permissions the moment they log in.
• Self-Service Enterprise Configuration: Empower your enterprise customers (or their IdP administrators) to configure SCIM provisioning for users and groups on their own through the Self-Service flow, accelerating B2B onboarding and removing your support team from the loop.

How to get started:

This feature will be rolled out to all public cloud environments over the next few days and to private cloud environments as per their release pipeline.

SCIM Groups is available for all tenants whose Auth0 plan includes Enterprise Connections. To enable it, navigate to the Auth0 Dashboard, go to Authentication > Enterprise, select your SAML, OpenID Connect, Okta Workforce, or Microsoft Entra ID connection, and toggle Sync user profiles using SCIM to On under the Provisioning tab.

Learn more:

• Configure Inbound SCIM
• Assign Roles to Enterprise Groups
• Self-Service Enterprise Configuration
• Group Events using the Eventing Platform

We are excited to announce that the redesigned Dashboard navigation and information architecture (IA) is now available in Beta. This update is the first step toward a more unified platform experience across Auth0, making it faster to find what you need and easier to act on everything across the platform. Alongside the IA changes, this beta also includes a significant visual refresh.

What's in the Beta

Flattened navigation

• Label-only group headers so every item is visible at a glance, reducing clicks and making pages faster to reach.
• Reorganized around common tasks to surface the pages you use most and match the way you actually work.
• External actions have moved out of the sidebar and into the top bar, keeping the sidebar focused on tenant configuration.

Consolidated & renamed pages

• Related functionality grouped together to bring common tasks closer together.
• Clearer naming to better align functionality across the platform.

Availability

• Existing bookmarks and deep links will continue to work and you'll be automatically redirected to the new page.
• This is a navigation, IA, and visual update only. All underlying functionality and APIs remain the same.

Join the beta!

If you're interested in joining the Dashboard Navigation & IA Refresh beta program, please send a request through the Auth0 Support Center or contact your Technical Account Manager (TAM) or Auth0 Sales Executive to help you out with the process.

We're excited to announce that Dashboard Search for Applications is now available in Public Beta! Find your applications faster without scrolling through paginated lists.

What's New: Dashboard users can now search and filter applications in real time by application name, client ID, external client ID, metadata, application type, and first-party status.

• Multiple filter options — Combine up to 5 filters
• Guided filter menu with Boolean search logic
• Filters persist in URLs for sharing and bookmarking

Rolling out progressively to Public Cloud tenants starting this week, with broader availability in the coming weeks.

For detailed documentation on search capabilities, visit our Product documentation.

We're happy to announce that strict third-party applications now support machine-to-machine (M2M) access using the client_credentials grant type.

As you expose your APIs to AI agents and partner backend services that operate without a user in the loop, you need those integrations to work within the same secure-by-default posture as the rest of your third-party application setup. This release makes that possible.

What's included:

• client_credentials grant type support for strict third-party applications, available via the Management API and Dashboard.
• Organization-scoped M2M access: strict third-party applications can request access tokens within the scope of a specific organization, with the same explicit grant requirements that apply to all M2M applications. Learn more about M2M access for organizations.
• M2M access is intentionally restricted to applications created manually via the Management API or Dashboard. Applications registered via Dynamic Client Registration are excluded to prevent uncontrolled token issuance by unvetted third parties.

To learn more, visit the Third-Party Applications documentation.

Boost Passkey adoption by enabling shared enrollment across subdomains. You can now customize the RP ID to allow a single Passkey to authenticate users across multiple applications under the same root domain. Now GA!

Learn more: Enable and Configure Passkey Authentication for Database Connections Native Passkeys for Mobile Applications Passkey Authentication for Database Connections -

You can now delegate tenant-level user management with the Tenant Manager role. This allows you to offload day-to-day administrative tasks from Team Owners to dedicated managers, providing the autonomy they need without exposing sensitive configuration settings.

Key capabilities:

• Independent administration: Directly invite, update, and revoke tenant members without escalating to Team Owners.
• Scoped permissions: Access is limited strictly to assigned tenants; sensitive configurations—such as connections and security logs—remain restricted to Team Owners.
• Audit trails: All management actions are captured in Team Activity logs for full compliance and visibility.

Use cases:

• Regional autonomy: Empower regional leads to manage their own tenant members without granting visibility into other regional or global tenants.
• Separation of duties: Delegate administrative tasks to specific departments while centralizing control of critical security settings at the account level.

Learn more about Teams Roles and Responsibilities.

We're excited to announce the GA release of Token Vault with Organization Support! ISVs building multi-tenant B2B SaaS applications and agents on Auth0 Organizations can now use Token Vault to store and exchange third-party tokens within the context of each organization their users belong to.

With this release, Token Vault exchanges and the Connected Accounts flow respect org_id end-to-end. Tokens are scoped to (user, org_id), so each organization maintains its own token records for a given user and data isolation between organizations is preserved by default. Token Vault exchanges that do not carry an org_id claim continue to behave as before.

For complete setup instructions and more, refer to our documentation..

We are excited to announce that we are adding new Credentials Exchange Actions Access Token Scope Interfaces and they are now available in Early Access.

These new interfaces allow you to customize the scopes to be considered when the access token is issued by writing Credentials Exchange Actions, considering the restrictions based on API and Client Grants definitions.

Early Access functionality includes:

• Add/Remove: New interfaces to add or remove target scopes from Credentials Exchange Actions.
• Set/Clear: Additional interfaces to clear or set target scopes from Credentials Exchange Actions without having to loop through the list of scopes.
• Read: The list of target scopes becomes available immediately after being transformed.
• Limits: Increased limits to handle up-to 1000 scopes for both Credentials Exchange Actions.
• Bonus: The limits were also increased for Post Login Actions.
• Docs:
  • Event Object: https://auth0.com/docs/customize/actions/explore-triggers/machine-to-machine-trigger/credentials-exchange-event-object#param-target-scopes
  • API Object: https://auth0.com/docs/customize/actions/explore-triggers/machine-to-machine-trigger/credentials-exchange-api-object#api-transaction

We're excited to announce that Custom Token Exchange now supports Delegated Authorization. This release is available to all Enterprise, B2B Professional, and B2C Professional customers.

Delegated Authorization covers scenarios where a principal (e.g. a human support agent, a backend service, an AI agent) performs actions in the context of a user. Unlike traditional impersonation where the actor's identity is lost, delegated authorization preserves both identities: the sub claim identifies the user being acted for, while a standards-based act claim (per RFC 8693) identifies who is actually performing the action. Every token carries a verifiable record of the delegation.

With the flexibility to define custom actor semantics and authorization logic via Actions, customers now have the tools to address emerging access patterns, including agentic AI flows, alongside traditional delegation scenarios like support tooling and service-to-service chains.

Key highlights of this release:

• Actor token parameters: Pass actor_token and actor_token_type to convey the acting party's credential
• setActor() Action command: Developers explicitly control when and how delegation act claim is included in tokens via the new setActor() method
• Auth0 ID tokens as actor tokens: Automatic validation when the actor is an Auth0-managed user
• Audit trail: Actor identity captured in tenant logs for compliance and traceability
• Nesting support: Up to 5 levels of delegation chains for multi-hop service scenarios

To learn more, visit the Custom Token Exchange documentation.

Demonstrating Proof of Possession (DPoP) sender constraining for Enterprise Connections is now generally available. Customers can now establish Okta and OIDC Enterprise Connections with DPoP enabled on those connections. This is available on all plans with Enterprise Connections.

DPoP for Enterprise Connections enables Auth0 to generate DPoP proofs when performing token exchange and calling userinfo endpoints on upstream OIDC and/or Okta connections. DPoP is a core building block of FAPI2 and IPSIE (Identity Proofing and Secure Identity Exchange) ecosystems. It provides a lightweight, standards-based way to enforce proof-of-possession (of a private key) without the operational overhead of mTLS token binding.

Please see product documentation for further details.

Federated Logout is now generally available for OIDC and Okta enterprise connections. When a user logs out with ?federated appended to the logout URL, Auth0 calls the upstream identity provider's end_session_endpoint to terminate the IdP session, closing the gap where a lingering IdP session could silently re-authenticate the user on their next login attempt.

Note: if federated logout is attempted without providing an end_session_endpoint, federated logout will not be able to be completed, and a federated_logout_failed tenant log will be generated. The user will be successfully logged out of Auth0 and redirected back to the application, just as with a standard (non-federated) logout.

With federated logout:

• Auth0 takes the burden off customers by handling IdP session termination
• Customers simply indicate if the IdP session should be ended when the Auth0 logout endpoint is reached — no extra setup needed for compliant IdPs
• Employers and employees have peace of mind that their data is not accessible when they logout from their applications

This feature is available on all plans that include enterprise connections. Read the documentation to learn more.

We have enhanced Tenant Access Control Lists (ACLs) to provide granular control over upstream proxy infrastructure and canonical domain routing.

With this update, you can now isolate traffic by enforcing distinct rules on your canonical hostnames while keeping your user-facing custom domains open.

What's New?

• Canonical Hostname Routing
  • Match access rules directly against your canonical hostnames. This allows you to lock down backend default domains while keeping customer-facing custom domains open and accessible to your users.
• Connecting IP Verification
  • Define precise allowed IPv4 and IPv6 CIDR blocks for the infrastructure (such as reverse proxies or content delivery networks) connecting directly to the Auth0 edge.
• Expanded Attribute Quotas
  • The limit for Tenant ACL attributes has been increased from 10 to 20 per signal, giving you the additional flexibility needed to scale complex, multi-domain configurations seamlessly.

Resources

To learn more about Tenant ACLs, click here

We have introduced a Dashboard configuration interface for Suspicious IP Throttling, specifically for Custom Token Exchange. This update allows administrators to easily set thresholds to throttle high-velocity traffic from suspicious IP addresses during the token exchange process.

Learn more about Custom Token Exchange attack protection here

Non-Unique Emails is now Generally Available (GA) for all Auth0 customers. This feature allows multiple user accounts to share the same email address within a database connection, supporting real-world use cases like families, small businesses, and multi-role users who need separate accounts tied to the same email.

Key Details:

• Available on new database connections only (cannot be enabled on existing connections).
• Requires a different primary identifier (username or phone number) to uniquely distinguish users.
• All email communications (verification, password reset, etc.) are still sent to the shared email address.
• Once enabled on a connection, the non-unique email setting is permanent.

Documentation: Non-Unique Emails

Auth0's ACR EA release empowers you to secure Account API token issuance by enforcing step-up authentication for sensitive scopes. Whether your users are managing their authentication factors via Universal Login or Embedded flows, you can now gate access through Actions-driven policies or enable a secure-by-default toggle. This ensures stronger security for self-service account management while maintaining a seamless experience for low-risk actions. Learn more here: API Settings Auth0 Docs My Account API Docs

We are excited to announce that our new feature "Online refresh tokens" is now available to all customers in Beta. This powerful new feature is designed to simplify token management and modernize your application architecture, especially for Single Page Applications (SPAs) allowing you to bind refresh tokens to the sessions they originated from, which provides seamless and consistent continuation of a session when cookies are affected by the browser vendor behaviour across different applications.

What's in the Beta

✨ New configuration options

• Configure specific audiences to provide Online refresh tokens - online refresh tokens configuration is now available under the API > settings page

🔒 Applications Integration

• New scope — Request the new online_access scope to receive your online refresh tokens, which will be bound to the session
• Refresh tokens normally — Online refresh tokens will continue your application access while the session exists
• Revoke a session, revoke its refresh tokens — Once the session is revoked, all its online refresh tokens become invalid, too

🚀 Availability

• Since online refresh tokens lifecycle is entirely based on their underlying session, online refresh tokens can be issued only in OIDC flows that generate a valid session and can return refresh tokens
• Following OIDC standards, implicit sessions that do generate a session but shall not return a refresh token, will not provide online refresh tokens either

Documentation Links

Online refresh tokens documentation

Join the beta!

If you're interested in joining the online refresh token beta program, please send a request through the Auth0 Support Center or contact your Technical Account Manager (TAM) or Auth0 Sales Executive to help you out with the process

We're excited to announce that Resend is now Generally Available as an out-of-the-box email delivery provider in Auth0!

With this release, you can now configure Resend as your email delivery provider with built-in configuration directly within Auth0. Resend offers a modern, developer-friendly approach to transactional email with excellent deliverability and a clean API.

Check out our documentation for detailed setup instructions.

Have questions or suggestions? Reach out to us in our community channel and we'd love to hear how Resend is working for you!

This feature is available on all Auth0 plans.

We are excited to announce Auth for MCP is now Generally Available.

Auth for MCP gives you a straightforward way to add authentication and authorization to any MCP server, so you control exactly who gets access, and what they get access to. Implement authentication, CIMD registration, and OBO token exchange for AI agents.

Auth for MCP is a product capability that uses the combination of the following features:

Client ID Metadata (CIMD) Registration (GA)

For MCP clients to connect to MCP servers, they need to identify themselves. But how does a server trust a new client it's never seen? The MCP spec solves this by recommending the use of CIMD: each client hosts a document containing its metadata at a URL that identifies the client. In Auth0, tenant admins provide that URL, and Auth0 fetches the metadata, validates it, and displays it for confirmation before creating the client. You get control over which clients can access your MCP server ensuring no surprise registrations.

On-Behalf-Of Token Exchange (GA)

After a user's agent authenticates with an MCP server and issues a request, it needs to call another API like a Salesforce instance or HR system to finish the job. The question is: how does that second API know the request is legitimate and who it's actually for? On-Behalf-Of Token Exchange lets MCP servers trade the user’s access token for one that works with the downstream API, scoped correctly and still tied to the original user. No shared secrets, no service accounts with too much power. And full auditing and visibility into every action.

Resource Parameter Compatibility Mode (GA)

The MCP spec uses "resource" identifiers to indicate which server an agent wants to talk to, rather than the "audience" parameter that OAuth has traditionally used. Auth0 now supports this natively, allowing MCP implementations to stay spec-compliant without workarounds or translation layers.

Enhanced Security Controls for Third-Party Applications (GA)

As you open your APIs to AI agents, partners, and developer ecosystems, third-party applications need to be secure by default. The recently shipped Enhanced Security Controls gives third-party apps a production-ready, secure-by-default posture, with the control you need over what external applications can access.

Documentation Links

• Register Applications with CIMD
• On-Behalf-Of Token Exchange
• Auth for MCP Quickstart

What's Changing:

We are fixing an issue where Auth0 was including an empty login_hint query parameter when redirecting users to external identity providers. Going forward, login_hint will only be included in the authorization request when a value is actually present.

Why This Matters: Some external OAuth providers strictly validate request parameters and reject authorization requests that contain empty parameter values. This caused authentication failures for customers whose upstream identity providers do not tolerate empty login_hint values — particularly in scenarios where customers do not control the external IdP and cannot modify its validation behavior.

Rollout Timing: This fix will be rolled out progressively over the next 1–2 weeks.

Action Required: No action is required from customers. If you previously implemented a workaround by overriding connection parameters to suppress the empty login_hint, you may optionally remove that override after confirming the fix is active in your environment.

We're excited to announce the new CMD+K Command Palette functionality is now available to all users in the Auth0 dashboard. Get instant access to navigation, quick actions and recently visited pages all from a single keyboard shortcut.

What’s new:

• Globally available: Always accessible from any page by entering CMD+K.
• Quick navigation: Jump to any page, feature, or setting without leaving the keyboard.
• Recently visited: Have your last 3 visited pages available at the top.
• Action shortcuts: Execute common tasks directly from the palette.
• Contextual actions: Get tasks specific to pages right in CMD+K.

To keep improving this experience, we’ll be continuously adding more contextual actions and capabilities to the CMD+K Command Palette.

Private Key JWT assertions and expanded signing algorithm support are now generally available across Enterprise Okta and OIDC Connections.

Private Key JWT assertions deliver enterprise-grade security by leveraging asymmetric cryptography to authenticate against your upstream Okta and OIDC identity providers. You now have full control over which signing algorithms Auth0 uses when generating client assertion JWTs - giving you the flexibility to align with your security standards and existing infrastructure.

We've also expanded ID token verification on enterprise connections to support additional signing algorithms: RS384, RS512, PS256, PS384, ES256, and ES384. This means fewer integration headaches when connecting to upstream identity providers and greater compatibility across your authentication flows.

These capabilities put you in the driver's seat: choose the cryptographic methods that work best for your environment, eliminate integration blockers, and stay ahead of evolving security standards.

Please refer to the product documentation.

Event Streams is now available for all customers in General Availablity.

Customer can:

• Subscribe to Auth0 User, Organizations, and Groups (Early Access Limited Release) Events
• Deliver Events to AWS EventBridge, Auth0 Actions, and Webhooks (including to Okta Workflows via Customer Header Auth)
• Consume events via the Events API

See the Auth0 Docs and Event Catalog for further instructions.

What is a Permissions Index?

In relationship-based access control like FGA, checking for permissions requires traversing a complex graph of relationships to find a valid path between a user and an object. The FGA Permissions Index anticipates this time-consuming traversal by pre-calculating every possible permission path and storing them as direct, user-to-object relationships. Whenever an indexed relationship is added or revoked in FGA, an incremental compute engine cleverly remembers which parts of the graph are affected, quickly ‘flattens’ those relationships, and enables a simple, efficient lookup at query time, no real-time graph traversal necessary.

This makes it easier to power traditionally diffucult authorization use cases such as enterprise search and AI retrieval (like RAG) over large datasets without repeatedly traversing the authorization graph every time.

The Developer Preview of FGA Permissions Index is available to any existing FGA enterprise customer. Get started today!

Learn more:

• What is a Permissions Index?
• Permissions Index Best Practices

We're excited to announce that Enhanced Security Controls for Third-Party Applications is now Generally Available for all Auth0 customers.

As you open your APIs to AI agents, customers, partners, and external developers, you need strong security defaults for third-party applications. Enhanced security controls give third-party applications a secure-by-default posture, so Auth0 does the heavy lifting, and you stay in control of what external applications can access.

What's included:

• Strict security mode for third-party applications (third_party_security_mode: 'strict')
• OAuth 2.1 alignment: mandatory PKCE, restricted grant types
• Explicit API authorization: third-party applications always require a client grant to access an API
• Default permissions for third-party applications: configure default API permissions that apply automatically to all third-party applications, including those created via Dynamic Client Registration
• Open redirect protection: configurable redirection_policy to prevent redirect-based attacks
• Reduced attack surface: curated property allowlist and feature restrictions

For existing customers using third-party applications: Your existing applications continue to work exactly as they do today — no changes required. A 6-month migration window gives you time to adopt enhanced security controls for new application creation. Review the migration guide for detailed steps.

To learn more, visit the Third-Party Applications documentation.

We’re thrilled to announce that the Self-Service Provisioning experience is now in General Availability! Empower your customers' IT teams to handle user onboarding and offboarding themselves, which means less manual work and fewer support tickets for your team.

Key Advantages at a Glance

• Automation: Allow your customer's admins to manage their own SCIM setup.
• Interoperability: Ensure seamless integration with a wide variety of customer IdPs.
• Consistency: Use a single, unified schema for easier support and debugging.
• Flexibility: Retain the ability to override attribute mappings for specific protocols if needed.

To dive deeper, please review our updated documented on Self-Service Enterprise Configuration.

We're excited to announce that Self-Service Domain Verification is now in General Availability! Allow your customers' IT admins to verify their own email domains for HRD directly within the SSO setup assistant — no back-and-forth with your team required.

Key Advantages at a Glance:

• Proven ownership: IT admins verify domains via DNS TXT record.
• Flexible requirements: Configure domain verification as off, optional, or required — per customer engagement.
• Domain management: IT admins can now add, re-verify, and delete domains entirely through self-service.
• Enterprise-ready controls: Pre-configure domains for your customers to verify, or pre-verify domains on their behalf — with verified domains automatically powering Organization Discovery when enabled.

To dive deeper, please review our updated documentation on Self-Service Enterprise Configuration.

We're thrilled to announce that Organization Discovery by Domain is now in General Availability! Automatically identify your customers' users and route them to the right identity provider based on their email domain — before they even reach the login screen.

Key Advantages at a Glance:

• Automatic routing: Direct users to their organization's IdP the moment they enter their email — no manual org selection required.
• Multi-org support: When a single domain maps to multiple organizations, an org picker ensures users land in the right place.
• Seamless B2B login: Eliminate the friction of Home Realm Discovery by adding full organization context to the pre-login flow.
• Flexible configuration: Support email-based, org-name-based, or combined discovery to match your customers' login requirements.

To dive deeper, please review our documentation here.

The new name better reflects the full scope of the suite, which includes:

• Single Sign-On (SSO): Allow enterprise customers to configure and maintain SSO for their applications.
• Domain Verification: Self-managed domain verification and mapping for IT admins.
• Google Directory Sync: Keep user attributes synchronized across systems.
• User Provisioning: Automate the user lifecycle through SCIM 2.0.

No functional changes — everything works the same. For full details, see the Self-Service Enterprise Configuration documentation.

Auth0 Private Cloud is now supported in the Azure Japan East (Tokyo) region!

Japan already has Auth0 coverage through AWS Private Cloud and our Public Cloud environment, and this addition brings Azure into the mix for the first time. Organizations can now deploy Auth0 Private Cloud in-country on Azure, giving them a dedicated identity infrastructure with the latency and data residency benefits of a local deployment.

This expansion reflects our ongoing commitment to meeting customers where they are — on the cloud platform and in the geography that works best for them.

We're excited to announce that Dry Run on Auth0 Deploy CLI is now Generally Available — giving developers full visibility into tenant changes before they're applied.

Key Benefits:

• Preview changes before they hit your tenant. Run a0deploy import --dry-run to see exactly what resources will be created, updated, or deleted — then exit safely. No changes applied, no surprises in production.
• CI/CD-native by default. Dry Run is now non-interactive out of the box, so it works in GitHub Actions, Jenkins, and any headless pipeline. Use --dry-run --apply to show the plan and deploy without prompting — full visibility, zero manual intervention.
• Flexible review modes. Need manual control? --dry-run --interactive gives you the review menu to apply, export to JSON, or exit. Choose the workflow that fits: automated gates in CI, manual review locally.

What's new in GA (beyond EA):

• --dry-run is now non-interactive by default (was interactive-only in EA)
• --dry-run --apply: preview then deploy without prompting — built for CI pipelines
• --dry-run --interactive: opt into the EA interactive menu when you want it
• Backward-compatible Node module API (AUTH0_DRY_RUN: true still works)

Getting Started:

• Documentation
• Official Repo

We are excited to announce the Actions TypeScript definitions are now available on GitHub and npm.

• GitHub Repository: https://github.com/auth0/auth0-actions
• NPM Package: https://www.npmjs.com/package/@auth0/actions

These resources provide the official Actions TypeScript definitions, helping developers and AI agents write better code when building Actions outside of the Management Dashboard's editor.

To learn more, check out the Actions NPM Docs and the Actions Unit Test Docs.

After May 11, 2026, Auth0 is ending the Free Trial for the Mobile Driver’s License (mDL) Verification Service Early Access and will remove access to the mDL Verification Service for tenants that enrolled in Early Access.

While we are not planning to move forward with mDL Verification Service capabilities as part of the Auth0 product, if you are still interested in capabilities related to verifiable digital credentials (VDCs) and want to learn how Okta is shaping the future with VDCs, visit oktacredentials.dev or read about the Okta Digital ID Verification Beta. To join the Beta and get involved, fill out this short form or email the team directly at [email protected].

We are excited to announce the next phase of our Google Workspace Directory Sync for Groups Early Access!

Building on our initial Early Access release, this update introduces Partial Group Sync, giving you exact control over which Enterprise Groups to import from your Google Workspace Directory into Auth0.

What's new:

• Targeted Group Sync: Instead of syncing your entire directory, you can now choose to synchronize only a specific subset of your Google Workspace groups. Easily manage your selected groups through either the Management Dashboard or Management API.

How to join Early Access: To join the EA program, please complete the EA Terms & Conditions form and contact your Auth0 Account Team to request activation and supporting documentation.

v4.8.1 — Custom Domain Hook

Added support for a new Custom Domain Hook in the Delegated Administration Extension. This hook allows you to customize behavior when Multiple Custom Domains are in use.

v4.8.3 — Compatibility fix for deprecation of enabled_clients on connections

The extension has been updated to remove its dependency on the deprecated enabled_clients field on connections. If your tenant uses the Delegated Administration Extension, you may have been seeing deprecation warning errors in your tenant logs. This release resolves that.

Action recommended before July 15: Auth0 is deprecating legacy management of a connection's enabled clients. See the deprecation notice for full details. Updating to v4.8.3 ensures the extension is compatible with this change.

Upgrading

Not on v4.8.x: Manually update the extension in your Auth0 tenant by navigating to Extensions → Installed Extensions, locating the Delegated Administration Extension, and clicking Update.

Already on v4.8.x: No action required — the patch has been automatically applied.

Following the successful Early Access period that began on August 11, 2025, we are excited to announce that MRRT is now available to all customers with full production support. This is a powerful enhancement that simplifies token management and modernizes app architecture across both native and web platforms

What's New in GA

✨ Auth0 Dashboard Support

• Configure MRRT policies directly in the Dashboard — No more Management API-only configuration
• Visual refresh token policy editor — Easily add, remove, and modify audience/scope policies for your applications
• Application settings integration — MRRT configuration is now available under the Application > Settings page

🔒 Enhanced Security with Client Grants Integration

• Client Grants enforcement — MRRT now respects Client Grants restrictions, ensuring applications can only request access tokens for APIs they are authorized to access
• Improved validation — Better error messages when attempting to configure unauthorized audience/scope combinations

🐛 Bug Fixes and Improvements (based on EA feedback)

• Fixed: Token exchange now properly validates scopes against both MRRT policy and Resource Server definitions
• Fixed: Improved error handling when requesting access tokens for deleted or modified Resource Servers
• Fixed: org_id claim is now correctly preserved in access tokens when using MRRT with Organizations
• Fixed: Refresh token rotation works correctly when exchanging tokens for different audiences
• Improved: Better logging in tenant logs (type: sertft) for MRRT token exchanges
• Improved: More descriptive error messages for unauthorized audience requests

📦 SDK Updates

• iOS SDK (Auth0.swift) — Full GA support
• Android SDK (Auth0.Android) — Full GA support

🛠️ Developer Tooling

• Auth0 CLI — Full support for configuring MRRT policies
• Terraform Provider — Complete resource configuration for refresh token policies
• Auth0 Deploy CLI — Full support for managing MRRT configurations in deployment pipelines

Documentation Links

• Multi-Resource Refresh Token Overview
• Configure and Implement MRRT
• Management API - Update Client

Demonstrating Proof of Possession (DPoP) sender constraining for Enterprise Connections is now available in Early Access. Customers can now establish Okta and OIDC Enterprise Connections with DPoP enabled on those connections. This is available on all plans with Enterprise Connections.

DPoP for Enterprise Connections enables Auth0 to generate DPoP proofs when performing token exchange and calling userinfo endpoints on upstream OIDC and/or Okta connections. DPoP is a core building block of FAPI2 and IPSIE (Identity Proofing and Secure Identity Exchange) ecosystems. It provides a lightweight, standards-based way to enforce proof-of-possession (of a private key) without the operational overhead of mTLS token binding.

Please see product documentation for details.

We are excited to announce the Early Access (EA) release of the My Organization API and a library of Embeddable UI Components for Organization Detail and Identity Provider Management. Every B2B product needs an admin console for customers to manage their own members and security. This new feature set empowers B2B SaaS developers to deliver robust self-service experience for admins in a matter of days, not months.

The My Organization API removes the need to build complex interfaces from scratch. With a secure governance layer that integrates seamlessly with your application, developers can easily deliver sophisticated, branded admin portals that meet the needs of even the largest customers without extra operational overhead.

Key Highlights:

My Organization System API: A purpose-built API designed for secure, scalable delegated administration, allowing customers to manage organization details and identity providers directly.

Embeddable UI Components: A library of white-label building blocks that can be dropped into any application to provide instant self-service management for SSO, domains, and members.

Security-First Primitives: Built-in support for cryptographically bound tokens via DPoP and automatic step-up authentication that triggers inline MFA for privileged actions.

Intelligent Onboarding: A new Dashboard-based onboarding wizard that simplifies configuration with safe defaults, automated entity setup, and a test environment.

B2B Observability and Governance: Enhanced tenant logs and per-organization rate limiting ensure full visibility into administrative actions while protecting tenant stability.

Interactive Developer Tools: A modernized API Explorer and extensive SDK support across multiple languages allow developers to integrate and test administrative activity at scale.

Why This Matters:

This release moves beyond simple API access to a unified governance layer for human and machine identity. Modern primitives like automatic least privilege ensures administrative sessions are always secure and context-aware. The result? Enterprise buyers can now get granular access levels and organization-specific rate limits they expect without the complexity of building custom backend middleware yourself.

This feature is available for all tenants. To begin, navigate to the __Applications > APIs __section of your Dashboard to activate the My Organization API.

To learn more, read the My Organization API documentation and if you have any feedback, give us a shout in our community channel!

Auth0 Akamai Supplemental Signals is now GA and available across the full authentication lifecycle.

This update allows developers to ingest risk scores and edge intelligence from Akamai Bot Manager and Account Protector into several new Action triggers: Pre-User Registration, Post-User Registration, Post-Challenge, and Post-Change Password.

By integrating these signals directly into the Auth0 pipeline, organizations can stop automated bot signups before an account is created and enforce real-time security logic during critical events like password resets or MFA challenges.

To learn more about Akamai Supplemental Signals and how to set it up review our online documentation here

The call to action for the Universal Login forgot password flow has been updated from "Forgot Password" to "Reset Password." This aligns all Universal Login CTAs to be action-oriented. The updated text is available across all languages supported by Auth0. Customers who want to keep the original "Forgot Password" text can restore it via language customization at Branding > Universal Login > Edit text and translations.

Learn more: https://auth0.com/docs/customize/login-pages/universal-login/customize-text-elements

Auth0 developers leveraging Express Configuration with Okta now have a more streamlined process for submitting their application to the Okta Integration Network.

The Okta Integration Network (OIN) Wizard has been updated with a new section for Auth0 developers that automatically populates the required configuration fields for OpenID Connect (OIDC), System for Cross-domain Identity Management (SCIM), and Global Token Revocation (GTR) integrations, based on information sourced from the Auth0 Dashboard.

To learn more about Express Configuration with Okta and the Okta Integration Network (OIN), click here.

We’re excited to announce that Multiple Custom Domains (MCD) is now Generally Available.

With Multiple Custom Domains, Enterprise customers can support multiple branded login experiences from a single Auth0 tenant. This helps you deliver more tailored authentication experiences across consumer applications, multi-brand businesses, and B2B SaaS use cases.

MCD GA includes support for:

• Configuring custom domains at scale within a single tenant
• A default domain for streamlined development and testing
• Passkey enrollment on custom domains
• B2B SaaS Self-Service SSO customizations
• Custom domain metadata in Advanced Customizations for Universal Login (ACUL)
• Support across Management SDKs, Authentication SDKs, and Forms

Visit Auth0 docs to get started.

We are excited to introduce Developer Preview, a new product release stage designed to get upcoming capabilities into your hands faster!

Developer Preview serves as a new release phase for new Auth0 product introductions. We utilize this stage when a new product capability will eventually be a paid feature, but we want to grant you access before the official pricing is applied.

Key Highlights:

• Free Production Access: You can use Developer Preview features in your production environments for free during the preview period.
• Clear Expectations: Participating in a Developer Preview provides a clear signal that the feature will include a paid component once it reaches General Availability (GA).
• Help Shape the Product: Getting these features to you early allows us to collect valuable feedback to iterate on prior to the GA launch.

To participate in an active Developer Preview, you will simply need to sign up and accept the specific opt-in requirements for that feature.

To learn more about how Developer Preview fits into our overall release process, visit our updated Product Release Stages documentation.

You can now manage custom authentication screen partials directly in the Auth0 dashboard with a purpose-built visual editor. Instead of encoding HTML as strings and sending them through the API, you get a proper code editor with syntax highlighting and live feedback.

The editor includes supporting tools:

• Code snippet library: pre-built snippets for common use cases like first and last name, phone number, terms of service checkboxes, and more, ready to insert with a click
• Template variable reference: a clickable list of all context variables available in the partial, for quick insertion without leaving the editor
• Actions shortcut: open Actions in a new window directly from the editor
• Interactive preview: click into entry points to edit HTML inline, see visually which entry point each element belongs to, and toggle entry point wrappers off to preview what the prompt looks like in the login flow

This update also expands what's possible with partials:

• Passkey screens: customize passkey authentication screens anywhere they appear in your flow; data capture is supported in the signup flow
• Custom database connections: data captured from partials is now surfaced in custom database connection scripts

Head over to the Auth0 Docs to learn more.

What's new:                                                                                                  

We've updated session handling in SAML-P and WS-Fed authentication flows to align with industry best practices and our existing OAuth2/OIDC behavior. Following a successful login via SAML-P or WS-Fed, the session ID will now be rotated and a new session cookie will be issued.

What this means for you:                                                                       

If your implementation includes client-side logic, downstream services, or integrations that read or store session IDs across SAML-P or WS-Fed login flows, you will now receive a new session ID after authentication completes. Please review and update any such implementations accordingly.

This change brings SAML-P and WS-Fed session handling in line with the existing behavior of OAuth2 and OIDC flows, ensuring consistent and secure session management across all authentication protocols.

We are excited to announce the release of auth0-springboot-api, a new official SDK designed to streamline authentication and security for Spring Boot backend applications.

Key Benefits:

• Supports Spring Boot 3.2+ (Java 17+) and built for the modern filter-chain pattern.Developers can secure an API by injecting Auth0AuthenticationFilter into their SecurityFilterChain — just configure auth0.domain and auth0.audience in application.yml and go.
• Abstracts the complexity of JWT validation. Developers no longer need to write fragile boilerplate code to check Audiences or Issuers. The SDK handles JWKS fetching, token validation, and scope-to-authority mapping (SCOPE_ prefix) out of the box.
• Supports DPoP with flexible enforcement modes (Allowed, Required, Disabled). Enterprise customers can enforce proof-of-possession token security per RFC 9449 with a single config property — no controller changes needed.

Getting Started:

• Quickstart
• Official Repo
• Examples

We’re excited to announce that Google Workspace Directory Sync for Groups is now available in Early Access (EA)!

This enhancement enables the automatic and reliable sync of group structures and memberships from Google Workspace directly into Auth0 Enterprise Groups.

Key Highlights:

• Automated group synchronization: Continuously mirror your Google Workspace groups into Auth0 to ensure your roles and access permissions remain accurate and up to date without manual intervention or relying on login events.
• Streamlined "Sync All" functionality: Enable groups synchronization for your entire Google Workspace Enterprise Connection through either the Management Dashboard or Management API in one step.
• View groups in Auth0: Groups provisioned using Google Workspace Directory Sync for Groups can be viewed in the Management Dashboard under Enterprise Groups, or retrieved through the Management API.
• Sync groups from Auth0 to external systems: Users and groups provisioned inbound to Auth0 can be synchronized outbound to external systems using Auth0’s Event streams feature.
• Use groups in the Post-Login Action: Use group information pushed from Enterprise identity providers in your Auth0 post-login actions to make access control and authorization decisions in Auth0.

To join the EA program, please complete the EA Terms & Conditions form and contact your Auth0 Account Team to request activation and supporting documentation.

Support for sender constraining tokens using Demonstrating Proof of Possession (DPoP) is now generally available on Enterprise plans.

Demonstrating Proof of Possession (DPoP) as defined in RFC9449, is an application level mechanism for binding tokens issued by Auth0 to the client application that requested that token. This is implemented using asymmetric key cryptography and with keys that are generated and managed by the client application - no public key infrastructure (PKI) is required.

Sender constraining tokens in this way using DPoP helps to:

• enhance security by mitigating against token theft and misuse by unauthorised parties
• improve user experience by being able to use longer-lived access tokens without significantly increasing security risk i.e. not requiring frequent user authentication

Additional features since the EA release includes replay protection against client applications sending repeated DPoP proofs, and the ability to require DPoP for public clients only, or all clients.

A number of Auth0 SDKs have shipped with support for DPoP:

• Authentication SDKs supporting DPoP for client applications: auth0-spa-js, auth0-react, auth0-angular, nextjs-auth0, auth0-flutter, Auth0.Swift and Auth0.Android
• Authentication SDKs supporting DPoP for APIs/Resource Servers:express-oauth2-jwt-bearer, auth0-api-js, auth0-api-python, aspnetcore-api
• Management SDKs supporting DPoP configuration: terraform-provider, go-auth0,deploy-cli, node-auth0, auth0.net

For more details, see the product documentation.

Boost Passkey adoption by enabling shared enrollment across subdomains. You can now customize the RP ID to allow a single Passkey to authenticate users across multiple applications under the same root domain.Currently in EA

Learn more about customizing RP ID for Passkeys:

Configure Passkey Policy

Native Passkeys for Mobile Applications - Auth0 Docs - Native Passkeys for Mobile Applications

Passkeys - Auth0 Docs - Passkeys Docs

You can now stream real-time metrics for Auth0 Management API usage and rate limit events directly to your observability platform.

These new metric streams give you detailed telemetry on every API request, including success/failure status, specific failure reasons like rate limits, and diagnostic data such as Client ID and request path. This allows you to proactively monitor for rate limit issues, troubleshoot API errors faster, and correlate Auth0 performance with your own application's health, all from within your existing monitoring tools.

We've included out-of-the-box support for Datadog, and you can connect to New Relic, Prometheus, and Splunk using OpenTelemetry.

This feature is now available in Beta. To get started, check out our Metric Streams documentation.

We’re excited to announce that we added new options for Forms HTTP Vault Connections!

This new set of options allows you to configure different authorization methods for your HTTP Request Flow Actions.

What's new:

• Client Credentials Support: Configure OAuth Client Credentials and keep the access token fresh for your HTTP Request Flow Actions authorization.
• API Key Support: Authorize your HTTP Request Flow Actions using an API Key, defining the header or query param key and secret value.
• Basic Auth Support: Configure and reuse Basic Auth authorization for your HTTP Request Flow Actions, helping you replace the legacy built-in option.

To improve the end-user experience and mitigate message spam, Brute Force Protection now proactively prevents the sending of passwordless email and SMS codes to users who are already blocked.

This update ensures that restricted users cannot continue to trigger unsolicited notifications, closing a gap in our abuse prevention coverage and reducing unnecessary messages

For more information on Brute Force Protection, check out our online documentation.

We are excited to announce that Actions Transaction Metadata is now GA.

This feature allows you to set, share, and access, custom data between Actions run in the same post-login execution.

Functionality includes:

• Accessing Transaction Metadata: A new event.transaction.metadata object within post-login Actions that contains the custom key/value pairs, which can be accessed through key.
• Setting Transaction Metadata: A new api.transaction.setMetadata function within post-login Actions that serves as interface to set the custom key/value pairs.
• Immediate Access: Values are available immediately after being set in the calling Action and subsequent Actions.
• Values Types: Values can be boolean, number, string, or string serialization of object and array.
• Docs: Actions Transaction Metadata

We are excited to announce that Actions Modules is now available in Early Access.

This feature allows you to create, manage, and share reusable code across different Actions within your Auth0 Tenant.

Early Access functionality includes:

• Simplified Code Management: Reduce code duplication and improve organization by writing common logic once and importing it into any Action where it is needed. This makes your Actions easier to maintain and update.
• Improved Performance: Move expensive initialization work into a module that can be reused across multiple Actions. This avoids re-running the same setup code in every execution.
• Cross-trigger Access: Actions Modules become available for every Action Trigger type.
• Independent Secrets and Dependencies: Actions Modules have independent secrets and dependencies from Actions.
• Docs: Actions Modules

Description

Native to Web SSO enables seamless single sign-on from native mobile applications to web applications. Users authenticated in a native mobile app can now transition to web content without re-authenticating, providing a frictionless cross-platform experience.

What's New in GA

Building on the Early Access release, GA includes the following enhancements:

• Auth0 Dashboard Support: Configure Native to Web SSO directly from the Auth0 Dashboard, no longer limited to Management API configuration
• Refresh Token Metadata in Actions: Access parent refresh token metadata within Session Transfer Actions, enabling richer context for customization and security decisions during the session transfer flow
• Step-up Authentication Support: Trigger MFA challenges during the Native to Web SSO flow for enhanced security when accessing sensitive web content
• React Native SDK Support: Native to Web SSO is now available in the Auth0 React Native SDK, supporting both Hooks (useAuth0) and class-based approaches
• Organizations Support: Use Native to Web SSO with Auth0 Organizations to maintain organization context when transferring sessions from native to web
• Web SDK Integration Examples: New code examples for Auth0 SPA SDK (@auth0/auth0-spa-js) and Auth0 React SDK (@auth0/auth0-react) for receiving session transfer tokens in web applications
• Enhanced Monitoring & Troubleshooting: Comprehensive warning log events help developers troubleshoot session transfer validation failures

Core Features

• Session Transfer Tokens (STT): Native apps can request a secure, short-lived token to transfer the authenticated session to web applications
• Seamless Web Session Creation: Exchange STT for a web session without user interaction
• Cross-Platform SSO: Maintain authentication state when moving between native and web contexts
• Session Transfer Actions: Customize the session transfer flow with Auth0 Actions

How It Works

1. User authenticates in the native mobile app using Auth0
2. Native app requests a Session Transfer Token via the Authentication API
3. When opening web content (WebView or browser), the STT is included in the authorization request
4. Auth0 validates the STT and creates a web session
5. User is automatically authenticated in the web application

Benefits

• Improved User Experience: Eliminate re-authentication friction when moving from native to web
• Enhanced Security: STTs are short-lived, single-use, and bound to the original session
• Easy Integration: Works with existing Auth0 mobile SDKs (iOS, Android, React Native)

Getting Started

• Native to Web SSO Overview
• Configure and Implement Native to Web SSO
• Native to Web SSO and Sessions
• Mobile to Web Payment Flows Quickstart
• iOS SDK Documentation
• Android SDK Documentation
• React Native SDK Documentation
• Auth0 CLI
• Terraform Provider Documentation
• Deploy CLI Documentation

Availability

This feature is now generally available for all Auth0 Enterprise customers.

We’ve expanded our Self-Service SSO capabilities with two new, highly-requested IdP templates for Okta SAML and Auth0 SAML. This update streamlines the configuration process for your enterprise customers, enabling faster, more reliable SSO integration.

Guided, Step-by-Step Configuration

Previously, setting up connections for providers like Okta SAML required using a generic template. Now, your customers will get a purpose-built, guided experience. Our new templates provide detailed, step-by-step instructions with screenshots specific to each IdP, reducing complexity and eliminating guesswork for your customers' IT teams.

Key Enhancements:

• New Templates: A dedicated guide for customers who use Okta or Auth0 as their identity provider, making one of the most common connection types easier than ever.
• Reduced Support Load: By making the process more intuitive for your customers, we help reduce your team's support burden and speed up your enterprise onboarding flow.

Learn more about Self-Service SSO in the product documentation.

We’re excited to announce that we added Flows Auth0 Send SMS and Auth0 Make Call Actions!

This new feature allows you to send phone messages from Flows using the customized Phone Provider at your Auth0 Tenant.

What's new:

• Phone Providers: take advantage of the supported phone providers that can be configured at your Auth0 Tenant.
• Custom Phone Provider: write custom code to send your phone messages to unsupported phone providers using the Custom Phone Provider Action.
• Custom Properties: customize Send SMS Action and Make Call Action for the outgoing phone messages including from, to, message, and variables.
• Liquid Syntax: use Liquid syntax at your phone message.

What's New

Session Metadata allows you to attach custom key–value data to a user's session using Actions or the Auth0 Management API. This enables you to persist contextual data throughout the session lifecycle, powering richer integrations, stronger audit trails, and personalized session behavior.

Key capabilities:

• Set and retrieve metadata in Actions using api.session.setMetadata(key, value) and event.session.metadata
• Manage metadata via Management API with GET and PATCH on /api/v2/sessions/{id}
• Delete individual keys using api.session.deleteMetadata(key) or evict all metadata with api.session.evictMetadata()
• Include session metadata in OIDC Back-Channel Logout tokens for downstream systems to receive context during logout events

Example usage in Actions:

exports.onExecutePostLogin = async (event, api) => {
  api.session.setMetadata("deviceName", event.request.user_agent);
  api.session.setMetadata("loginRegion", event.request.geoip?.countryCode);
  api.session.setMetadata("orgContext", event.organization?.id);
};

Limits:

• Maximum of 25 key-value pairs per session
• Each key and value must be a string with max 255 characters
• Metadata is stored as a flat JSON object (no nesting)

Use Cases

• Self-service device management: Store device names or login locations for user-facing session management UIs
• Keep Me Signed In: Persist user preferences to customize session behavior
• Organization context: Store organization information for multi-tenant applications
• Audit and compliance: Include session context in logout tokens for downstream audit systems

Availability

Session Metadata is now Generally Available for all Enterprise tenants.

No API or behavior changes from Early Access.

Learn more

• Session Metadata Documentation
• Configure Session Metadata
• Use Case: Organization Information in Session Metadata

To strengthen defenses across the identity surface, we have added millions of breached phone credentials to our detection capabilities within Credential Guard

This enhancement allows organizations using Phone as an Identifier to proactively identify compromised credentials and trigger automated security responses, such as login blocks or password resets.

This expansion ensures that phone-based authentication is as secure as traditional email-based methods without impacting system performance.

For more information on Credential Guard, check out our online documentation.

We're excited to announce that Refresh Token Metadata is now available in Early Access for Enterprise customers.

Refresh Token Metadata allows you to attach custom key-value pairs to refresh tokens, enabling richer context storage and more personalized authentication experiences.

What's New

Store Custom Data on Refresh Tokens

You can now attach up to 25 custom key-value pairs to each refresh token. This metadata persists throughout the token's lifecycle and can be accessed or modified via the Management API.

// In Post-Login Action
exports.onExecutePostLogin = async (event, api) => {
  api.refreshToken.setMetadata('deviceName', event.request.user_agent);
  api.refreshToken.setMetadata('loginRegion', event.request.geoip?.countryCode);
  api.refreshToken.setMetadata('orgContext', event.organization?.id);
};

Management API Support

Access and manage refresh token metadata programmatically:

• GET /api/v2/refresh-tokens/{id} - Retrieve token with metadata
• PATCH /api/v2/refresh-tokens/{id} - Update token metadata
• DELETE /api/v2/refresh-tokens/{id} - Revoke token

Learn more about Refresh Token Metadata in our documentation

We're introducing Auth0 Agent Skills Beta- structured guidance that teaches AI coding assistants how to implement Auth0 authentication correctly across any framework.

Agent Skills are AI-native instructions that work with popular coding assistants like Claude Code, Codex, Gemini CLI, etc... They provide production-ready code patterns, security best practices, and step-by-step implementation flows directly within your development workflow.

Key Features

• Framework Coverage: Support for React, Next.js, Vue, Angular, Express, Nuxt, React Native, and more
• Security First: Built-in best practices for MFA, protected routes, and secure token handling
• Migration Support: Guided migration from Firebase Auth, AWS Cognito, Supabase, and other providers
• Easy Installation: Install via CLI (npx skills add auth0/agent-skills) or directly in Claude Code plugins
• Production Ready: Generate complete authentication implementations in minutes

Getting Started

• Install Auth0 Agent Skills: npx skills add auth0/agent-skills
• Then ask your AI assistant: "Add auth0 to my app" and you're ready to go.

Learn More

• auth0/agent-skills repo
• Documentation

To provide a more robust defense against sophisticated automated threats, Auth0 has integrated JA4 signals into the core of our Bot Detection machine learning engine.

The addition of JA4 signals allows our models to surface and mitigate sophisticated automated threats that traditional signals often miss.

This enhanced security feature is available now to all Enterprise customers with the Attack Protection add-on. The rollout is currently underway and will be completed in the coming weeks, aligned with individual customer release schedules.

To learn more about Auth0's Bot Detection Product, click here

We’re excited to roll out a highly requested update to the mobile login experience! We know that every tap matters when it comes to user conversion, so we’ve eliminated a common friction point in the authentication journey.

Previously, users might have been met with a standard alphabetical keyboard when prompted for a code. Now, for all SMS and Email OTP challenges, mobile devices will automatically surface the numeric keyboard. This change spans 16+ touchpoints—including MFA enrollment, Passwordless login, and password resets—ensuring your authentication flow feels native, intuitive, and fast.

What do you need to do?

Nothing at all. This optimization is automatically enabled for all customers using the Universal Login experience. Your users are already enjoying a smoother, "fat-finger" proof login today!

Experience it yourself

Trigger an MFA challenge or Passwordless login from your mobile device to see the new flow in action.

• Visit your Dashboard

We are excited to announce the FGA Logging UI! This introduces a web interface to the existing logging API, giving you the ability to view FGA logs directly in the FGA Dashboard.

Users can now filter, sort and inspect access logs directly from the FGA Dashboard, significantly reducing the time required for debugging and troubleshooting issues.

The Logging UI provides an easy-to-use visual interface with capabilities to sort and filter log entries.

• Visual Interface: Users can now immediately view a list of log entries for operations like Check() and Write() in the main viewing area of the UI. Drilling down into a single log entry will open a side panel for a full detailed view of the log data in JSON format, with a convenient copy-and-paste button to quickly copy and paste log data into another application for viewing or saving.

• Date/time ranges: Viewing log data can be daunting due to sheer volume. The UI has a convenient date picker to set the time-bound log retrieval window.

• Filtering: We’ve introduced a simple search box for filtering. Its simplicity does not take away from its power as the search accepts Lucene syntax (a subset) for advanced querying of logs. Now, retrieving all write operations is as easy as typing request.operation:"Write" into the search box.

• Sorting: The UI supports standard sorting of fields for ascending and descending ordering of data, used in situations, for example, when quickly needing to toggle between seeing “newest first” or “oldest first” log data.

For more details, refer to Auth0 FGA’s logging documentation.

We are pleased to announce that API Access Policies for Applications is now Generally Available (GA) for all Auth0 customers. This feature allows you to specifically control which applications can request access tokens for your APIs, covering both user and machine-to-machine access.

Previously available only via the Management API, these policies can now be fully configured directly within the Auth0 Dashboard. The new UI allows you to easily visualize and manage permissions per API, ensuring that only authorized applications can access sensitive resources.

Key Benefits:

• Granular Control: Define distinct access policies for user access vs. machine-to-machine access.
• Enhanced Security: Use the require_client_grant policy to ensure only explicitly authorized applications can obtain tokens for the subset of allowed permissions.
• Simplified Management: Configure these settings visually through the new Dashboard UI.

To learn more, navigate to Applications > APIs > Application Access in the dashboard or read our reference docs.

We are excited to release the Per-Member Authorization feature that introduces roles to the FGA Dashboard! This allows you to grant appropriate levels of access based on users’ needs.

We are enhancing the permission model from a single admin to Groups that can be assigned roles. Groups are an organizational container for managing permissions and offer convenience when assigning roles to multiple users at once.

• New Roles: We are introducing three new granular roles to sit alongside the previous admin role (now renamed Account Owner):
  • Group Manager: An account-level role for managing teams without accessing FGA stores directly.
  • Store Editor: A store-level role that can modify models and tuples but cannot manage groups.
  • Store Viewer: A read-only role useful for ops teams or sales engineers who need visibility without the ability to impact systems.
• Groups: Account Owners or Group Managers can create groups (ex., "IT Group" or "Dev Team") and assign members to them. All members automatically inherit the permissions defined at the group level.
• Scoping: Crucially, these roles can be scoped to specific stores. For example, this allows a single user, to be an Editor for a "Staging" store but restricted to Viewer for a "Production" store.

For more details, refer to Auth0 FGA Dashboard’s Roles documentation.

We’ve integrated Organization Discovery by Domain into the Self-Service SSO workflow, eliminating manual backend configuration and providing a seamless login experience for your enterprise users.

Zero-Touch Discovery Previously, verifying a domain only configured the SSO connection. Now, when a ticket is scoped to a single Organization, verified domains are automatically synced to the Organization record. This enables Organization Domain Discovery instantly, allowing end-users to log in with just their email address.

Key Enhancements:

• Verify One, Apply Everywhere: Verified domains are added to both the Connection and the Organization simultaneously.
• Domain Association: If a domain was previously verified for an Organization, customers can now simply associate it with a new connection, skipping repeat DNS TXT steps.
• Deterministic Routing: By gating this to a 1:1 mapping, we ensure users are routed to the correct IdP every time.

Learn more about Self-Service SSO in the product documentation.

By using Self-Service SSO Domain Verification for Organization Discovery by Domain, you agree to the applicable Free Trial terms in Okta’s Master Subscription Agreement and Okta’s Privacy Policy during use of the Early Access feature. The Free Trial terms can be found within the Master Subscription Agreement at https://www.okta.com/agreements.

We’re pleased to announce that support for Groups within Auth0’s Inbound SCIM for Enterprise Connections feature is now in limited early access!

This release is useful for developers that support users and groups natively in their applications, and need to support integrations with Enterprise identity providers that use SCIM 2.0 to remotely manage these users and groups.

New group capabilities added:

• SCIM groups endpoint per connection - Each Enterprise connection gets dedicated SCIM /users and /groups endpoints and dedicated credentials that enable provisioning, de-provisioning, and management of the users and groups specific to that connection.

• Sync groups from Auth0 to external systems - Users and groups provisioned inbound to Auth0 can be synchronized outbound to external systems using Auth0’s Event streams feature.

• Use groups in the Post-Login Action - Use group information pushed from Enterprise identity providers in your Auth0 post-login actions to make access control and authorization decisions in Auth0.

• View groups in the Auth0 Dashboard - All groups provisioned using SCIM can be viewed in the Auth0 Dashboard under a new Enterprise Groups tab, as well as per user under the Users section.

How to get access

To join the Limited EA program and access SCIM Groups for Enterprise connections, complete the EA Terms & Conditions form and contact your Auth0 Account Team to request activation and supporting documentation.

We’re excited to announce that Google Workspace User Directory Sync is now generally available! This feature keeps Auth0 user profiles up to date by syncing users from your Google Workspace directory into Auth0 - so user profile updates don’t depend on login events.

Key highlights of this release:

• Dashboard configuration: Enable and manage inbound user directory sync directly from the Auth0 Dashboard on your Google Workspace enterprise connection (including attribute mapping, automated sync, and manual sync).
• Management API support: Programmatically enable, configure, and run inbound user directory sync using the Management API Connections endpoints.
• Self-Service SSO experience: Your customers’ IT teams can configure Google Workspace inbound directory sync alongside SSO and SCIM provisioning, and manage user onboarding/offboarding directly.

Learn more:

• Sync Google Workspace Users to Auth0 with Directory Sync
• Management API Connection Endpoints

We’re excited to introduce Universal Custom Password Hash in Limited Early Access (EA), enabling user migrations into Auth0 without disrupting sign-ins - even when your existing system uses custom or legacy password formats.

With Universal Custom Password Hash you can bring existing users over through Bulk Import and use Auth0 Actions to script custom password validation logic for your environment so users can continue signing in with their current credentials.

Key Capabilities:

• Support for custom password formats during migration: Migrate users from legacy and proprietary systems while maintaining the existing sign-in experience.
• Custom validation logic with Auth0 Actions: Write and deploy password validation logic that matches your current security architecture using Actions.
• Seamless end-user experience: Users continue to sign in as usual - less password resets and less support tickets means reduced rollout friction.
• Built for enterprise migrations: Designed for complex environments where password handling varies across regionals, applications, or historical platforms.

Why It Matters:

• Accelerate migrations by reducing friction and avoiding user disruption.
• Lower helpdesk load by minimizing password reset spikes during cutover.
• Increase confidence in large-scale rollouts with flexible support for legacy password formats.

How to Join EA: Universal Custom Password Hash is available through Limited Early Access enrollment. To request access and supporting documentation, contact your Auth0 Account Team and complete the Limited EA Terms & Conditions process.

The enabled_clients field, within the connection object, is deprecated in the following scenarios:

• Retrieving multiple connections using (GET - /api/v2/connections).
• Retrieving a connection using (GET - /api/v2/connections/{id}).
• Updating a connection using (PATCH - /api/v2/connections/{id}).

As an alternative to the deprecated functionality, two new Management API endpoints are available:

• Get enabled clients for a connection.
• Update enabled clients for a connection.

We have provided additional information and timelines for enforcing this change across tenants through a dashboard and support center notification. It is important to note that when creating a new connection via the (POST - /api/v2/connections) endpoint, the enabled_clients field remains supported.

As part of our Continuous Session Protection, you can now configure ephemeral (non-persistent) sessions using Actions. This allows enterprise customers to dynamically control whether a session is stored in a persistent cookie or only in memory.

Ephemeral sessions:

• Exist only in memory and are cleared when the browser or app is closed.
• Are ideal for high-sensitivity workflows such as step-up authentication or use on public devices.
• Can be configured per session using api.session.setCookieMode("non-persistent") in post-login Actions.

This feature, previously in Early Access, is now in General Availability and available to all Enterprise tenants.

Learn more:

• Set Session Persistence with Actions
• Session Lifecycle
• Use Ephemeral Sessions with Actions to configure Keep Me Signed In

We are pleased to announce the expanded availability of Auth0 Private Cloud on Microsoft Azure, now supporting the 30x and 30x Burst performance tiers.

This update enables enterprise organizations to leverage high-scale, dedicated identity infrastructure while maintaining their commitment to the Azure ecosystem.

Performance at Scale

• 30x
  • Sustained Capacity: 3,000 RPS
  • Peak Burst Capacity: 3,000 RPS
  • Best for: Consistent, high-volume baseline traffic
• 30x Burst
  • Sustained Capacity: 1,500 RPS
  • Peak Burst Capacity: 3,000 RPS
  • Best for: Variable traffic with high-intensity spikes

Why This Matters

• Compliance & Residency: Deploy to the Azure region of your choice to satisfy localized data residency and compliance needs at scale.
• Financial Strategy: Burn down your existing Microsoft Azure Consumption Commitments (MACC) by investing in the market-leading identity platform.
• Operational Excellence: Benefit from a fully managed, dedicated instance that provides you infrastructure isolation and flexibility as you grow.

Get Started

These tiers are available immediately for new and existing customers. Please visit Auth0 documentation for more info.

We're excited to announce a significant update to the Security Center, marking the first major enhancement since last year's introduction of Thresholds and Alerts! These new capabilities drastically improve your ability to monitor, analyze, and respond to security threats with greater precision and speed.

What's New:

• Granular Filtering by Applications and Connections: You can now filter security metrics within the Overview and Threat Monitoring pages by specific applications and connections. This allows for a more detailed examination of your tenant traffic, enabling faster incident triage and more effective troubleshooting by visualizing subsets of data.
• Deeper Insights into Top Threat Behaviors: We've introduced new charts to highlight the top 5 connections and IPs associated with various security metrics. These groupings provide quick insights into potential anomalies and common threat behaviors, empowering you to identify and address risks more efficiently.
• Consolidated Threat Monitoring View: The Threat Monitoring page has been revamped to offer a more intuitive and unified experience. This updated view, combined with the new filtering options by application and connection, streamlines your ability to track and respond to threats effectively.

These enhancements are available on all public cloud envirovments and gradually rolling out to private cloud environments.

Explore the updated Security Center today to take control of your security insights and strengthen your security posture!

We’re excited to announce the Open Early Access (EA) of Custom Token Exchange. OAuth 2.0 Token Exchange allows to trade one security token for another (typically an Access Token). With Custom Token Exchange, you can run Auth0 Actions as part of that exchange, giving you a flexible way to inject custom logic and implement your own authentication and authorization semantics. This lets you validate and authorize the request, and precisely set the user for every token exchange transaction.

Key highlights of this release:

• Automatic Entitlement: The feature is now automatically available to all Enterprise and B2B Pro customers to be used for testing and production (no manual enablement required).
• Organizations Support: Full compatibility with Organizations. You can now pass the organization parameter in the request or use the new setOrganization function within your Action.
• Enhanced Security: Includes Multi-Factor Authentication (MFA) support during the exchange.

To learn more, read the reference documentation.

We’re excited to announce that we added Flows Auth0 Send Email Action!

This new feature allows you to send emails from Flows using the customized Email Provider at your Auth0 Tenant.

What's new:

• Email Providers: take advantage of the supported email providers that can be configured at your Auth0 Tenant.
• Custom Email Provider: write custom code to send your emails to unsupported email providers using the Custom Email Provider Action.
• Custom Properties: customize the settings for the outgoing emails including sender, recipient, subject, message, and variables.
• Liquid Syntax: use Liquid syntax at your email subject and message.

The MyAccount API Explorer now has an updated experience! Using MyAccount API, customers can build self-service management experiences at scale, powered directly from their applications.

To learn more about the MyAccount API feature, click here.

The improved MyAccount API Explorer experience includes:

• modernization of the look & feel
• interactivity between the response schema and response example
• full endpoint URL readily available to copy
• ability to quickly navigate to other API Explorers

Navigate to: https://auth0.com/docs/api/myaccount to try it out!

To ensure the highest security standards for your identity infrastructure, we are retiring specific weak TLS 1.2 cipher suites. This change affects all connections to Auth0 service endpoints and web applications, specifically:

• Tenant Domains: All default (e.g., [tenant].auth0.com) and Custom Domains for both Public and Private Cloud.
• Auth0 Tools: The Dashboard (manage.auth0.com), Marketplace, and Support Center.
• Infrastructure: The Auth0 CDN.

Cipher Suites Scheduled for Removal: The following ciphers are being deprecated. For cross-reference, we have provided the unique Hex Code, IANA name, and a link to the OpenSSL equivalent.

• 0xC0,0x09 - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (https://ciphersuite.info/cs/TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA/)
• 0xC0,0x0A - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (https://ciphersuite.info/cs/TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA/)
• 0xC0,0x23 - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (https://ciphersuite.info/cs/TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256/)
• 0xC0,0x24 - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (https://ciphersuite.info/cs/TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384/)
• 0xC0,0x13 - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA https://ciphersuite.info/cs/TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA/)
• 0xC0,0x14 - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (https://ciphersuite.info/cs/TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA/)
• 0xC0,0x27 - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (https://ciphersuite.info/cs/TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256/)
• 0xC0,0x28 - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (https://ciphersuite.info/cs/TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384/)
• 0x00,0x9C - TLS_RSA_WITH_AES_128_GCM_SHA256 (https://ciphersuite.info/cs/TLS_RSA_WITH_AES_128_GCM_SHA256/)
• 0x00,0x2F - TLS_RSA_WITH_AES_128_CBC_SHA (https://ciphersuite.info/cs/TLS_RSA_WITH_AES_128_CBC_SHA/)
• 0x00,0x9D - TLS_RSA_WITH_AES_256_GCM_SHA384 (https://ciphersuite.info/cs/TLS_RSA_WITH_AES_256_GCM_SHA384/)
• 0x00,0x35 - TLS_RSA_WITH_AES_256_CBC_SHA (https://ciphersuite.info/cs/TLS_RSA_WITH_AES_256_CBC_SHA/)
• 0x00,0x3C - TLS_RSA_WITH_AES_128_CBC_SHA256 (https://ciphersuite.info/cs/TLS_RSA_WITH_AES_128_CBC_SHA256/)
• 0x00,0x3D - TLS_RSA_WITH_AES_256_CBC_SHA256 (https://ciphersuite.info/cs/TLS_RSA_WITH_AES_256_CBC_SHA256/)

Additional information is available through the Auth0 dashboard and Support Center notification.

We are excited to announce that Advanced Customizations for Universal Login (ACUL) is now generally available. ACUL enables developers to create custom, client-rendered user interfaces for Universal Login using their preferred frontend technologies.

Key capabilities in this release:

• Full Screen Parity: Support for customizing all Universal Login screens and flows, including Login, Signup, MFA, Password Reset, and more.
• New SDKs: Production-ready React and TypeScript SDKs to accelerate development.
  • NPM: @auth0/auth0-acul-js | @auth0/auth0-acul-react
  • GitHub: auth0-acul-js | auth0-acul-react
• Visual Editor: A new Dashboard UI for managing screen configurations and assets.
• Improved Developer Tooling: Major updates to Auth0 CLI to support scaffolding (auth0 acul init), local mocking, testing, and CI/CD deployments.
• Production-Ready Sample App: A robust sample repository featuring implementations of 34 authentication screens built with React 19 and Tailwind 4.

ACUL allows you to leverage all the security benefits of Universal Login, such as bot protection and threat intelligence, while providing complete control over the visual presentation and user journey.

Read the Documentation

This new Token Vault capability allows Client Applications to obtain access tokens from third-party APIs (resource servers), through an authorization flow that is coordinated by a common Identity Provider implementing the Identity Assertion Authorisation Grant standard. This new standard enables requesting applications such as AI Agents to obtain access tokens where user consent is managed by policy at the Identity Provider.

To evaluate the Requesting App for Cross App Access, please contact Auth0. For more details, see the product documentation.

We’re excited to announce that Google Workspace User Directory Sync is now available in Limited Early Access (EA) with major enhancements to configuration, usability, and performance.

This feature automatically synchronizes users from your Google Workspace directory into Auth0 - ensuring user profiles stay accurate and up to date without relying on login events.

What’s New in EA:

• Management Dashboard Support: You can now enable and configure Google Workspace Directory Sync directly from the Auth0 Management Dashboard.
• Integrated with Self-Service SSO: We’ve expanded the Self-Service SSO Provisioning flow to include Google Workspace Directory Sync alongside SCIM. Your customers’ IT teams can now configure SSO, SCIM provisioning, and Google Workspace Directory Sync through a unified setup flow, and manage user onboarding/offboarding directly, with less manual work for you.
• Performance Improvements: Backend optimizations reduce sync latency and ensure stable performance under high load.

Why It Matters:

• Eliminates reliance on user login events for updating user data in Auth0
• Reduces identity drift and accelerates user lifecycle management
• Delegates Directory Sync setup to your customers’ IT administrators.

How to Join EA: To join the Limited EA program and access Google Workspace User Directory Sync, complete the EA Terms & Conditions form and contact your Auth0 Account Team to request activation and supporting documentation.

We are excited to announce the release of Auth0.Aspnetcore.Authentication.Api, a new official SDK designed to streamline authentication and security for ASP.NET Core backend applications.

Key Benefits:

• Supports .NET 8.0+ and built for the modern "middleware" pattern. Developers can now secure an API with a single line: builder.Services.AddAuth0ApiAuthentication(...).
• Abstracts the complexity of JWT validation. Developers no longer need to write fragile boilerplate code to check Audiences or Issuers. The SDK enforces security best practices out of the box.
• Supports DPoP with flexible enforcement modes (Allowed, Required, Disabled). Enterprise customers can now enforce a higher level of security with minimal code changes.

Getting Started:

• Quickstart
• Official Repo
• Examples

Adaptive MFA now allows administrators to configure device remembrance durations (TTL) for the New Device assessor. The default remains at 30 days, but can now be customized to any value between 1–365 days.

When users log in successfully on a remembered device, that device’s TTL automatically refreshes to the currently configured value.

This enhancement provides greater flexibility to balance security and user convenience, helping teams align device remembrance with organizational policies and login patterns.

Configuration is available through both the Dashboard and the new Adaptive MFA Management API endpoints, enabling automated setup and management of device remembrance.

Learn more about configuration options in our Adaptive MFA documentation.
For details on the new Adaptive MFA Management API endpoints, visit the Risk Assessment API documentation.

We’re pleased to announce that Express Configuration with Okta is now generally available for Auth0 applications in the Okta Integration Network!

Express Configuration automates how your enterprise customers using Okta set up identity integrations with your Auth0 application. This includes configuring OpenID Connect (OIDC) for single sign-on, System for Cross-domain Identity Management (SCIM) for automated user onboarding and offboarding, and Global Token Revocation (GTR) for centralized session management with Universal Logout.

To learn more about Express Configuration with Okta, click here.

This feature is available immediately in all public cloud environments, and will be rolled out to private cloud environments as per their release pipeline.

We are thrilled to announce a major milestone: the General Availability (GA) of Auth0 for AI Agents!

Auth0 for AI Agents is a suite of features to empower developers to build secure agentic applications and experiences. The solution suite includes updates to: Token Vault for secure token based access to third-party APIs and applications; and Asynchronous Authorization for user approvals to keep the human in the loop for sensitive agent actions.

Here are some highlights of the latest updates to the solution suite:

• A new connected accounts flow (with connection purpose) to easily establish federated connections, initiated by client applications.
• Support for Microsoft Entra (Azure AD) and Google Workspace as enterprise connected accounts.
• Support exchanging a first-party access token for a third-party access token at the Token Vault.
• Send notifications for asynchronous authorization flows using email or the Guardian App, with client initiated backchannel authentication (CIBA).
• Revamped Quickstarts and SDKs to delight developers.
• Pricing and packaging for Essential, Professional, and Enterprise plans.

You can read more about the solution suite and the component features in the Auth0 for AI documentation.

Auth0 is thrilled to announce that Auth for MCP is officially in Early Access! This release extends the power of Auth0’s standards-based authorization platform to the Model Context Protocol (MCP), securing your MCP servers, MCP clients, AI agents and the APIs they interact with.

With Auth for MCP, Auth0 integrates OAuth 2.1 and OpenID Connect directly into the MCP ecosystem, ensuring consistent access control and auditability across every agentic interaction.

Key capabilities include:

• MCP Server Authorization: Protect your MCP Servers by leveraging Auth0’s Universal Login to authorize access. You can leverage social, enterprise, and custom identity providers with full support for MFA and advanced attack protection.

• Standards-based discovery and registration: Allow MCP clients and servers to automatically discover authorization endpoints and dynamically register with Auth0. This removes manual setup and ensures consistent configuration across your environment.

• Leveraging your Existing APIs: Enable MCP clients to securely call internal APIs on behalf of users using short-lived, purpose-scoped tokens.

• Connecting to Third party APIs using Token Vault: Securely store, refresh, and revoke access tokens for third-party APIs. This lets your MCP applications act on behalf of users across external SaaS systems like Google, Microsoft, GitHub, and more.

• Developer-ready integration: Explore quickstarts, guides, and sample apps to easily implement Auth for MCP. Auth0 provides ready-to-use examples for securing your MCP server, calling APIs on users’ behalf, and using the Token Vault with JavaScript or Python SDKs.

• MCP Spec Compliance: Works with Auth0’s Resource Parameter Compatibility Profile and token dialect rfc9068_profile_authz, ensuring that access tokens include the permissions claim required for authorization in MCP.

This Early Access release allows developers to unify authorization across MCP clients, servers, and tools, improving governance of agent actions.

Auth for MCP is available today in Early Access. To participate, please submit the Early Access Form and/or contact your Auth0 Technical Account Manager.

For setup instructions, SDKs, and sample applications, and more, visit the Auth for MCP documentation.

We’ve refined the logic behind how Security Center metrics are calculated to provide more accurate and actionable insights.

Metrics now reflect IP activity using the following logic:

When an IP address triggers more than 10 relevant events for a given metric within a single hour, it will now be counted toward that metric.

This update ensures greater consistency and reliability across event-based metrics within the Security Center.

For more details on which metrics are affected and their updated definitions, see the Security Center Metrics documentation

We are thrilled to announce a significant expansion of capabilities within the Multiple Custom Domains (MCD) Early Access program for Enterprise customers.

This update delivers powerful branding and white-labeling capabilities with improved flexibility to scale your identity solution from a single Auth0 tenant.

• Search and filter custom domains via Management APIs and Dashboard to simplify administration.
• Pixel-perfect branding using ACUL to associate unique asset bundles directly with individual custom domains.
• Ensure brand consistency by customizing Email and Phone Templates based on the custom domain context.
• Build tailored, conditional logic using the custom domain name and metadata directly within Actions.

Please refer to Auth0 docs for details - Multiple Custom Domains.

These updates are available automatically to the current participants in MCD Early Access program. If you're interested in joining the MCD Early Access program, please send a request through the Auth0 Support Center and contact your Technical Account Manager (TAM) or Auth0 Sales Executive.

Auth0 has added a Dynamic Client Registration (DCR) scope to the Tenant Access Control List (ACL).

This enhancement allows administrators to control access to the /oidc/register endpoint based on a variety of network and client signals, helping prevent unauthorized or automated client creation.

Configuration is available via the Management API.

Learn more about our Tenant Access Control List in our online documentation found here

We are excited to announce that Actions Types is now available at npmjs @auth0/actions.

This NPM library currently facilitates TypeScript definitions for Auth0 Actions.

Developers can use this library for:

• IDE / Code Editor Assistance: By referencing this library, IDEs and code editors can help developers coding with autocompletion, object and functions definitions, and error checking.
• TypeScript Development: This library enables Actions development using TypeScript which then can be built and deployed to Actions as Common JS.
• Unit Testing Improvements: This library allows developers to follow best practices and to improve their Unit Testing based on TypeScript definitions.
• AI Actions Generation: Gives AI assisted IDEs the context they need to generate more accurate and secure Actions code.

Docs: Learn more at Actions NPM Docs and Actions Unit Test Docs.

Auth0 now provides Management API endpoints to manage Bot Detection configuration!

Key Capabilities:

Bot Detection Controls: Automate adjustments to the Bot Detection Level (low, medium, or high) and manage your trusted IP AllowList via API.

Challenge Policies: Programmatically control CAPTCHA enforcement for password, passwordless, and password reset flows (options: always, when risky, or never).

CAPTCHA Management: Fully manage your CAPTCHA provider selection and configuration, including Auth0’s native challenge or third-party solutions.

To learn more about the new Bot Detection API endpoints check out our online documentation here

As part of Continuous Session Protection, you can now attach custom key–value data to a user’s session using Actions or the Auth0 Management API. This allows enterprise customers to persist contextual data (such as device name, organization ID, or custom flags) throughout the session lifecycle.

Session Metadata:

Enables storing and retrieving custom metadata directly within Auth0 sessions

Can be set in Post-Login Actions using api.session.setMetadata(key, value) and accessed through event.session.metadata

Is available via the Management API for reading, updating, or evicting metadata during the session’s lifetime

Can be automatically included in OIDC Back-Channel Logout tokens, enabling downstream systems to receive the same metadata context

This feature expands session extensibility, allowing richer integrations, stronger audit trails, and personalized session behavior across applications.

Availability:

Session Metadata is available to Enterprise tenants in Early Access. To enable this feature, reach out to your Technical Account Manager or open a Support Ticket.

Learn more: Session Metadata Documentation

We’re excited to introduce Google Workspace User Directory Sync, now available as part of our Beta program.

This feature allows organizations to automatically synchronize users from their Google Workspace directory into Auth0 - ensuring user data stays accurate and up to date without relying on login events.

What’s New:

• Automated user synchronization: Automatically sync user profiles from your Google Workspace Enterprise connection into Auth0.
• Flexible sync cadence: Choose between manual on-demand syncs or automatic syncs that run every 30 minutes.
• Custom attribute mapping: Map Google Workspace user attributes to Auth0 user profile fields for full control over data consistency.
• Management API support: Configure, update, retrieve, or delete your Directory Sync settings programmatically - with Postman collection templates included.

Why It Matters: This enhancement eliminates the need for users to log in before their profiles are updated in Auth0, reducing data drift and simplifying identity lifecycle management.

How to Get Started: To join the Beta program and access Google Workspace User Directory Sync, complete the Beta Terms & Conditions form and contact your Auth0 Account Team to request activation and supporting documentation.

Login flows initiated in the context of client applications associated with business users (organization_usage=require) and configured to prompt for the organization at the start of the login flow (organization_require_behavior=pre_login_prompt) will consider an existing authenticated session and allow single sign-on (SSO).

The previous behavior where these flows disregarded SSO is deprecated. We have provided additional information and timelines for enforcing this change across tenants through a dashboard and support center notification.

Auth0's Private Cloud footprint is expanding again, this time to the AWS Asia Pacific Thailand Region!

This launch plants our secure identity infrastructure in the heart of one of Southeast Asia's largest digital economies. Customers in the region can now leverage this new presence for significantly reduced latency and enhanced performance. It also provides a robust, in-country solution for organizations managing their data governance and sovereignty objectives.

We are excited to support the rapid growth of Thailand's booming e-commerce, fintech, and digital service sectors with this new deployment.

We’re excited to announce Organization Discovery by Domain, a new capability that makes enterprise login smarter and more seamless. Together with Prompt for Organizations, it automatically identifies a user’s Organization before authentication, using either their email or organization name — eliminating the need for guessing, manual routing, or dealing with misspellings.

Smarter Login Experience: Users can now enter either their organization name or work email on the Prompt for Organization screen. If the Organization has a verified domain, Auth0 detects the Organization instantly, loads the correct branded login, and routes the user to the right IdP.

Verified Domains: Tenant admins can now associate one or more verified domains with each Organization using the new Domains tab. Verified domains power automatic organization detection and ensure HRD (Home Realm Discovery) runs only against that Organization’s enabled connections.

Unified Enterprise Login Flow: This update enhances the Prompt for Organization experience for both Business and Both (Business + Individual) app types, unifying login flows across personal and enterprise users.

Availability: Rollout is happening now. No opt-in required, it’s ready as soon as it appears in your tenant.

Learn more about Organization Discovery by Domain in our product documentation.

By using Organization Discovery by Domain, you agree to the applicable Free Trial terms in Okta’s Master Subscription Agreement and Okta’s Privacy Policy during use of the Early Access feature. The Free Trial terms can be found within the Master Subscription Agreement at Legal Agreements | Okta.

We've enhanced the Auth0 FGA Write API endpoint to help streamline imports and reduce errors. You can now use two new optional parameters:

on_duplicate: "ignore": This will gracefully skip any write operations for relationship tuples that already exist.

on_missing: "ignore": This will gracefully skip any delete operations for relationship tuples that do not exist.

Previously, these common conditions would cause the entire Write request to fail. These new parameters prevent unnecessary failures, eliminating the need for complex client-side retry logic and improving import performance.

This feature is available now via the API and our latest SDKs.

Learn more about Writing Tuples in FGA from our product documentation or API Reference.

Auth0 now supports Sign in with Shop, a new social login integration designed for Shopify merchants. This feature allows merchants to offer customers a familiar authentication option using their existing Shop accounts. This new integration provides:

• Streamlined Experience: Customers can sign in using their existing Shop credentials, reducing friction and simplifying account access.
• Consistent User Journey: Enables a unified sign-in experience for customers already accustomed to Shopify’s ecosystem.
• Expanded Capabilities: Combines the trusted Shopify experience with Auth0’s advanced identity features — including enhanced security, single sign-on (SSO), customizable branding, and extensibility.

Get started today with our quick start guide to connect your Shopify store to Auth0 and our built-in Sign in with Shop social integration.

To enhance security and mitigate risks of application impersonation and phishing attacks, we are recommending the transition to HTTPS-based callbacks using Android App Links and Apple Universal Links whenever possible. In addition, we are introducing a change in how the service handles custom URI schemes and loopback URI as callbacks.

More specifically, for authentication requests specifying a custom URI scheme or a loopback URI as the callback, we are introducing a login confirmation prompt used in scenarios that would previously return a response without requiring user interaction. For example, in a single sign-on (SSO) scenario, if authentication request requirements can be satisfied from an existing authenticated session, the service will display the new login confirmation prompt instead of seamlessly returning a response to the specified custom URI scheme / loopback URI callback.

Additionally, authentication requests including prompt=none will be rejected when Applications use non-verifiable callback URIs and are configured to use the new login confirmation prompt.

Review the User Confirmation Prompt section of Measures Against Application Impersonation to learn more about the new prompt.

Tenants created before October 15, 2025, maintain the previous behavior as the default until April 28, 2026. After the October cutoff date, newly created tenants may default to displaying the new login confirmation prompt with some exceptions due to each environment's deployment schedule. For any tenant maintaining the previous behavior, we recommend you opt in beforehand to use the new behavior. Alternatively, you can opt out of using the additional confirmation prompt if strictly required. Additional information on this situation is available at Migrate to Custom URI Scheme Redirect End-User Confirmation.

We’ve improved our machine learning (ML) model for signup to deliver stronger protection against automated account creation while keeping friction low for legitimate users.

Note: This update applies only to the signup flow. There are no changes to the ML models used for bot detection in login or password reset flows.

Highlights of this update include

• Expanded detection signals:
  The model now leverages user-agent–based signals, such as operating system and browser version data, to more accurately distinguish between human and automated signup attempts.

• Smarter traffic classification:
  An updated labeling strategy improves how the model differentiates between malicious and legitimate signup activity, helping it adapt more effectively to evolving attack patterns.

• Optimized sensitivity settings:
  Adjusted detection thresholds capture a broader range of bot activity while maintaining a low false positive rate, ensuring a smooth experience for valid users.

What this means for you

These enhancements strengthen the signup protection capabilities of Attack Protection, enabling more effective detection of automated signup attempts without adding unnecessary friction for real users.

The rollout is in progress for all Enterprise customers with the Attack Protection add-on and will complete over the coming weeks in line with individual release schedules.

For configuration guidance or to learn more about protecting your signup flows, please refer to our documentation or contact your account team.

As part of the Early Access launch of Event Streams, there is now an Events Catalog explorer available in Auth0 Docs to better guide you on the details of each Event -- including examples. The Event Streams feature allows you to discover completed changes to Auth0 Users and Organizations as they happen. You can do this by:

• Creating an Event Stream in the Manage Dashboard or the Management API
• Configuring the Event Streams with the desired destination (Webhook or Amazon EventBridge) and selecting the events to receive

View the new Event Catalog Explorer here: https://auth0.com/docs/events/

Learn more about Event Streams here: https://auth0.com/docs/customize/events

FGA Logging API Now Generally Available

The Auth0 FGA Logging API is now Generally Available (GA). This dedicated endpoint provides a comprehensive audit trail for every interaction with the FGA system. You can now programmatically retrieve detailed logs for auditing, debugging, and monitoring.

• Strengthen Audit & Compliance: Retrieve a complete audit trail for all public FGA APIs, including permission changes, access checks, and model updates, to verify who accessed resources and when.
• Accelerate Troubleshooting & Monitoring: Gain granular insight into API operations to debug issues faster and proactively monitor for unusual activity. Use powerful Lucene query syntax to filter logs by user, IP address, status code, and more.
• Centralize Your Logs: Easily export log data to your preferred SIEM, log management, or analytics tools to centralize your security and operational visibility.

The FGA Logging API is available for all paid-tier customers. For more information, please read the Auth0 FGA Logging API documentation.

The first public beta of the Auth0 Nuxt SDK is now available for developers building web apps on the Nuxt framework!

Key Highlights

• Idiomatic Nuxt 3 Experience: Simple, composable functions (useAuth0) that feel native to Nuxt developers, dramatically reducing time-to-first-login.
• Advanced Security Out-of-the-Box: We've included support for the latest security standards from day one, including PAR, RAR, and Backchannel Logout.
• Powerful API Authentication: Seamlessly obtain tokens for backend APIs using the TokenVault integration.

Resources

Here are the helpful resources to explore the new Nuxt SDK and get started:

• Quickstart
• Examples

This SDK is still in Beta and we need your feedback! Please share any feedback, questions or comments on GitHub.

When validating JWT assertions used for client application authentication, Auth0 will impose stricter requirements and accept only a tenant's issuer identifier as a single JSON string value in the "aud" (audience) claim.

The possibility of providing an "aud" claim with either one of the approaches listed below is deprecated, and at a future date will cause the service to consider such JWT assertions invalid:

• A JSON array of strings, provided that one of the entries contains a valid issuer identifier or endpoint URL for the respective tenant and endpoint the client authenticates against.
• A single JSON string representing a valid endpoint URL for the respective tenant and endpoint the client authenticates against.

OIDC enterprise connections configured to use Private Key JWT in authenticated requests to the upstream identity provider will also be able to use the applicable issuer identifier represented as a JSON string in the "aud" claim included in JWT assertions.

We have provided additional information and timelines for enforcing this change across tenants through a dashboard and support center notification.

We are excited to announce an improvement that makes it faster and easier for you to keep your firewall configurations up-to-date.

Our IP allow list for Auth0's Public Cloud regions is now available in a standardized, machine-readable format. This new format is designed to help you automate updates and ensure the most accurate configuration for your firewall.

What this means for you:

• Automation: You can now programmatically fetch and parse the list, eliminating the need for manual updates.
• Accuracy: The structured data ensures you're always using the latest and most accurate IP addresses.
• Clarity: The changelogs highlight specific additions and removals, so you can easily see what has been updated.

You can access this information at: https://cdn.auth0.com/ip-ranges.json

For more details, please see our documentation on IP allow list.

We’re excited to announce the Early Access release of Akamai Supplemental Signals. This feature allows Auth0 Enterprise customers who have Akamai configured as a reverse proxy in front of Auth0 to forward signals from Akamai Bot Manager and Akamai Account Protector into Auth0.

With this integration, you can enrich your authentication flows with supplemental signals from Akamai and make more dynamic security decisions in post-login Actions and gain visibility through tenant logs.

Key Benefits

• Combined Risk Context: Leverage Akamai’s bot and user risk signals together with Auth0’s risk assessment for a more complete view of login risk.

• Adaptive Security Controls: Combine Akamai and Auth0 risk signals to trigger MFA, deny sessions, or revoke access based on risk indicators.

• Seamless Integration: Configure Akamai to forward signals and use them immediately in post-login Actions and tenant logs.

Availability

• Available to all Enterprise customers using Akamai as a reverse proxy in front of Auth0.

• Currently in Early Access.

Learn More

• Configure Akamai as a Reverse Proxy
• Configure Akamai to Send Supplemental Signals
• Use Akamai Supplemental Signals in Actions

We’re thrilled to introduce the Limited Early Access release of Additional Signing Algorithm for Okta and OIDC enterprise connections! This release expands flexibility for both Private Key JWT client authentication and ID token verification by adding support for stronger signing algorithms beyond RS256, including:

• RS512
• PS256
• ES256

For Private Key JWT, Auth0 now lets you choose which algorithm is used to sign client assertion JWTs when authenticating requests to an upstream IdP. For ID token verification, Auth0 can validate tokens signed with a wider set of algorithms, ensuring compatibility across OIDC flows. Together, these enhancements give customers more control over cryptographic choices, making it easier to align with security policies and adapt as standards evolve

This release is currently rolling out to all environments. To enable the Additional Signing Algorithms Limited Early Access release in your Auth0 tenant once available in your environment, please contact your Technical Account Manager to request access.

We are excited to announce the release of the Auth0 React Native SDK v5, a foundational rewrite designed to provide a best-in-class developer experience for one of the world's most popular mobile frameworks. This major update delivers a simpler, more powerful way to integrate secure authentication into your React Native applications while ensuring compatibility with the latest evolution of the ecosystem.

Highlights:

• Stay on the Cutting Edge of React Native: Deploy with confidence knowing your authentication layer is ready for the future. The SDK is fully compatible with React 19 and Expo 53, and now includes Beta support for React Native's New Architecture (Turbo Modules). This allows you to leverage the latest performance and UI capabilities of the ecosystem without compromising on security.
• Accelerate Development with a Better DX: We've refactored the entire SDK from the ground up to create a more intuitive and efficient developer experience. With a simpler API surface, unified cross-platform error handling, and an Android layer rewritten in modern Kotlin, you can integrate Auth0 faster and spend less time debugging.
• Build for More Platforms with react-native-web: The new, robust architecture enables first-class support for react-native-web. Now you can share more of your authentication logic between your native mobile and web applications, streamlining development and ensuring a consistent user experience everywhere.

Get Started Today. The Auth0 React Native SDK v5 is now generally available.

As a major version release, v5 includes breaking changes aimed at improving the long-term health and usability of the SDK. To upgrade, please consult our comprehensive Migration Guide to v5.

For a full list of new features, improvements, and breaking changes, view the complete release notes on GitHub.

As part of the Continuous Session Protection, you can now configure ephemeral (non-persistent) sessions using Actions. This allows enterprise customers to dynamically control whether a session is stored in a persistent cookie or only in memory.

Ephemeral sessions:

• Exist only in memory and are cleared when the browser or app is closed
• Are ideal for high-sensitivity workflows such as step-up authentication or use on public devices
• Can be configured per session using api.session.setCookieMode("non-persistent") in post-login Actions

This feature is available to all Enterprise tenants in Public Early Access and requires no enrolment.

Learn more: https://auth0.com/docs/manage-users/sessions/sessions-with-actions#set-session-persistence-with-actions and https://auth0.com/docs/manage-users/sessions/session-lifecycle

Use Ephemeral Sessions with Actions to configure Keep Me Sign In

You can now use Organizations with your native passkey flows! User sign-in and registration flows can now pass the organization to complete sign up in the organization context. Like Universal Login flows, auto-enrollment into an organization during sign-in is also supported.

Organizations Support for Native Passkeys is in Limited EA - reach out to your Auth0 contact to get started today.

To get started with Passkey APIs and use them with Organizations, please see our documentation or read our blog for getting started with native applications.

We’re very excited to announce the availability of Native Passkey Management, extending the management of authentication methods using APIs. Customers can now delete passkeys using APIs and list all enrolled authentication methods for a user.

Customers can build end-to-end management of the passkeys directly into their native applications.

Native Passkey Management is in Limited EA - reach out to your Auth0 contact to get started today.

To get started with MyAccount please read our documentation

We're excited to announce that Cross App Access (XAA) for Resource Applications is now in Beta.

Connecting AI Agents and Third Party Apps in an enterprise introduces two key challenges: poor IT visibility into data sharing and repetitive user consent flows. Cross App Access (XAA) solves this by enabling IT teams to centralize control over these connections, eliminating constant user consent prompts and providing better governance and visibility into data sharing.

This new feature provides built-in support for SaaS providers to get their APIs ready for secure connection by AI Agents and other SaaS Apps in enterprise environments. No code changes needed, simply configure the feature in your Auth0 tenant to instantly support central policy enforcement and a seamless user experience.

This Beta release is for testing purposes only.

To learn more, read our documentation.

We’re excited to share that we've expanded the Self-Service SSO experience with User Provisioning (SCIM). Now your customers’ IT teams can manage user onboarding and offboarding directly, reducing manual work for you. This feature is currently in Early Access.

Smarter Provisioning: Your customers can now configure SCIM directly in the Self-Service SSO wizard, streamlining setup and reducing time-to-value.

Unified User Data: This release introduces User Attribute Profiles (UAP), a standardized way to map, normalize, and sync user attributes across identity protocols (SAML, OIDC, SCIM) and Auth0’s Self-Service SSO feature. This ensures consistent data handling across integrations and simplifies ongoing maintenance. Furthermore, when using UAP with the Self-Service Profile and Self-Service SSO, those mappings are now used to populate the Enterprise Connection Mapping object in Auth0.

Key Benefits

• Automation: Delegate SCIM setup to your customers’ admins
• Interoperability: Works seamlessly across varied IdPs
• Consistency: One schema for easier debugging and support
• Flexibility: Override mappings per protocol when needed

Rollout is happening now. No opt-in required, it’s ready as soon as it appears in your tenant.

Learn more about Self-Service and User Attribute Profile in our product documentation.

By using Self-Service User Provisioning, you agree to the applicable Free Trial terms in Okta’s Master Subscription Agreement and Okta’s Privacy Policy during use of the Early Access feature. The Free Trial terms can be found within the Master Subscription Agreement at Legal Agreements | Okta.

A new and improved Auth0 Support Center is now live. The new Auth0 Support Center is re-designed to help you find answers faster and adopt features more confidently.

Here’s what’s new:

• Summarized solutions, fast: A single AI-powered search scans thousands of support resources, and learning content, and delivers a single answer tailored for you.
• Unblock faster, stay ahead: The new Knowledge Base provides real-world how-tos and fixes. The Product Hub keeps you up to speed on what’s coming next.
• Level up your skills: The Auth0 Learning Hub offers self-paced, tailored learning paths and plans to help you build skills and feature mastery.

Ready to try it out? Head to the Auth0 Support Center and explore for yourself. A great place to begin: search for a product or feature you’re working on and see how the new search delivers fast, tailored answers.

Want to learn more? Check out the YouTube video and Knowledge Base article.

We're excited ✨ to announce a significant enhancement to Auth0 Teams that simplifies and accelerates the onboarding process for your team members. This new feature, Pre-tenant Assign in Team Invitations reduces the steps required to get your team members productive faster.

The Challenge We Solved ⁉️:

Previously, inviting a new team member and granting them tenant access was a multi-step process: invite, acceptance, then manual tenant assignment.

What's New 🎉:

You can now combine these steps into a single action. When inviting a new team member, an optional step in the invitation modal allows you to pre-select the tenants and associated roles the invitee should automatically access upon accepting the invitation.

Key Benefits for Your Team ✅:

• One-Step Onboarding: Reduce administrative overhead by combining invitation and tenant access assignment into one efficient workflow.
• Immediate Access: Invitees gain immediate access to pre-assigned tenants upon accepting the invitation, eliminating waiting periods.
• Improved Audibility: Team Activity logs now record "Invitation accepted" events for better visibility along with tenant member event detail logs.

This feature empowers Team Owners to onboard administrators and contributors effortlessly, ensuring they have the right access from day one.

Availability 🍾: Available in Early Access to Enterprise Customers, with General Availability coming soon.

"Do not have Teams enabled as yet? Click here to learn on how to enable Auth0 Teams"

We’re excited to announce the General Availability of Tenant Access Control List (ACL), a security feature that helps you control who can access your tenant.

With Tenant ACL, you can create custom lists to allow, block, or redirect requests based on predefined signals – strengthening security and optimizing performance.

Key Benefits

• Reduce Attack Surface: Block malicious traffic before it reaches your tenant
• Enhance Security: Enforce access policies based on IPs, geolocation, user agents, ASN, and more
• Optimize Performance: Redirect traffic to improve user experience

What’s New in GA

• Enterprise customers: Create one Tenant ACL list
• Attack Protection add-on customers: Create up to 10 Tenant ACL lists
• Dashboard support: View, enable, and disable ACL lists directly from the Auth0 Dashboard

Learn More

• Tenant ACL Documentation
• Network ACL Management API

We are excited to share that Bulk User Import / Export is now available for everyone directly in the Auth0 Management Dashboard!

What’s New:

• Streamlined experience: submit import / export jobs directly in the Dashboard UI - no Extension management required
• Expanded RBAC support: now available to tenant members with Editor - Users Role in addition to Admin
• Bulk update existing users: upserting pre-existing users in a connection is now available for manual import jobs
• Export as a sample: quickly validate export file structure and field naming by exporting a sample file of 10 users

Deprecation Notice The Bulk Import / Export Extension will reach end of life in October 2025. We recommend switching to the new Dashboard experience as soon as possible.

For more information on the new Import/Export UI, please refer to Bulk User Import / Export in the Auth0 docs.

We're excited to announce that API Access Policies for Applications is now in Early Access for all Auth0 customers and is fully supported for production use.

This feature enables you to control how applications access your APIs registered in Auth0. You can configure separate application API access policies for user access and client (machine-to-machine) flows, giving you declarative, granular and easy-to-reason control over which applications can obtain an access token for a specific API. For instance, with the require_client_grant policy, you can ensure that only explicitly authorized applications can get tokens, even during user flows. This strengthens your security posture by preventing unauthorized applications from accessing sensitive API resources on behalf of a user.

To learn more, check out the documentation.

One of the most requested features for the Auth0 Deploy CLI is here: you can now preview your deployment changes before applying them.

Say goodbye to deployment anxiety. With the new --dry-run flag, you can get a detailed summary of exactly what resources will be created, updated, or deleted before you run an import. This brings the confidence of infrastructure-as-code practices like terraform plan to your Auth0 tenant management.

Get started by simply adding the --dry-run flag to your import command to see a safe preview of your changes.

This will help you and your team:

• Deploy with Confidence: Eliminate uncertainty by verifying the exact impact of your changes.
• Prevent Unintended Changes: Catch potential issues and avoid accidental modifications to critical production resources.
• Improve Collaboration: Share the dry-run output with team members for review and approval before deployment.

The Dry Run feature is now available in Early Access. Update to the latest version of the Deploy CLI to get started.

Learn More

What's new:
Non-Unique Emails is now in Open Early Access and rolling out to all environments. With this feature, multiple user accounts can share the same email address within a database connection. This enables support for real-world scenarios like:

• Parent/child accounts using a shared inbox

• Small businesses with a single location email

• Users managing multiple roles under one email address

Key details:

• Rollout has just begun and will take 1--4 weeks to reach every environment.

• Available only for new database connections.

• Email cannot be used as a primary identifier, customers must configure username or phone number.

• Email communications will still be delivered to the shared email.

• Once enabled, the non-unique email setting is permanent.

Status:

• This feature is production-ready.

• No opt-in required, all customers will gain access once rollout reaches their environment.

• GA planned for Q4 2025.

Getting started:
Customers can create a new database connection with Non-Unique Emails in the Dashboard or via the Management API. See full documentation here:
Non-Unique Emails Documentation

We are excited to announce a major update for our Private Cloud customers, extending the powerful management and security capabilities of Auth0 Teams to your private cloud environments. This release introduces the Beta versions of Tenant Member Management and SSO Enforcement, closing the feature gap with our Public Cloud offering.

✨ New Features

Tenant Member Management (Beta) for Private Cloud:

You can now centrally manage tenant membership and roles for your team members directly from the Auth0 Teams dashboard. This feature simplifies user administration by allowing you to:

• View and manage all tenant access from a single interface.
• Efficiently onboard and off-board users across multiple tenants.
• Perform bulk operations to grant or revoke access.

SSO Enforcement (Beta) for Private Cloud:

Strengthen your organization's security posture by requiring all team and tenant members to authenticate using one of your configured Enterprise Identity Provider (IdP) connections. This ensures that access to Auth0 resources is governed by your corporate identity solution.

Activity Log Integration for Tenant Management:

All operations related to Tenant Member Management (e.g., adding, updating or deleting) are now recorded in the Auth0 Teams Activity Log, providing a complete audit trail for compliance and security monitoring. (Note Now available to all Auth0 Teams customers.)

Session Revocation for Private Cloud:

Administrators now have the ability to revoke active user sessions for Private Cloud tenants, providing an immediate way to off-board users or respond to security events.

📈 Improvements

Streamlined Private Cloud User Invites:

Team members can now be invited directly to a Private Cloud tenant through the Teams interface. This removes the previous requirement of first adding the user to the configuration tenant, simplifying and accelerating the onboarding workflow.

Increased Bulk Tenant:

The limit for bulk tenant assignment has been doubled, allowing you to grant or modify access to 10 tenants at once, up from the previous limit of 5.

Beta Program Information

Tenant Member Management and SSO Enforcement features for Private Cloud are being released in Beta.

We are delighted to announce that support for sender constraining tokens using Demonstrating Proof of Possession (DPoP) is now available in Early Access.

Demonstrating Proof of Possession (DPoP) as defined in RFC9449, is an application level mechanism for binding tokens issued by Auth0 to the client application that requested that token. This is implemented using asymmetric key cryptography and with keys that are generated and managed by the client application - no public key infrastructure (PKI) is required.

Sender constraining tokens using DPoP can be used to mitigate the risk of tokens being used by unauthorised parties if they are intercepted in transit or exfiltrated from applications. This helps to:

• enhance security by mitigating against token theft and misuse by unauthorised parties
• improve user experience by being able to use longer-lived access tokens without significantly increasing security risk i.e. not requiring frequent user authentication

Auth0 will be rolling out SDK support for DPoP for native applications, single page applications, backend server APIs, and Auth0 management:

• SDKs for iOS Swift and Android Kotlin are available now.
• SDKs for Javascript, React, Python and more are coming soon.

To evaluate DPoP for securing your tokens, contact your Auth0 representative. For more details, check out our product documentation.

We have expanded our security telemetry to include JA3 and JA4 TLS fingerprints. TLS fingerprinting is a proven technique for identifying client software based on the TLS handshake.

• JA3 is a fingerprinting method that identifies TLS clients based on their connection parameters.
• JA4 refines TLS fingerprinting to make client identification more stable and resilient to small variations.

These signals help customers detect and respond to malicious traffic faster, identify suspicious client behavior, and correlate related activity across changing IPs and sessions.

What’s New

Tenant Logs
JA3 and JA4 fingerprints are now logged in applicable authentication and security events such as Success Login, Failed Login, and Anomaly Detection.

Actions Integration
JA3 and JA4 fingerprints are now available in Actions for real-time, custom security responses, but only in the following triggers:

• pre-user-registration
• post-user-registration
• post-login

Tenant Access Control List (ACL) Support
You can also use the Tenant Access Control List to block specific TLS fingerprints directly by adding a rule. Alternatively, you can combine JA3 and JA4 signals with Actions to apply custom business logic, such as requiring MFA or conditionally denying access.

Why It Matters

JA3 and JA4 provide a stable, high-entropy signal that is hard to spoof, helping you correlate malicious activity even across changing IPs and sessions.

Availability

Available for all Enterprise customers. Start using these signals today.

We are excited to announce that Actions Transaction Metadata is now available in Early Access.

This feature allows you to set, share, and access, custom data between Actions run in the same post-login execution.

Early Access functionality includes:

• Accessing Transaction Metadata: A new event.transaction.metadata object within post-login Actions that contains the custom key/value pairs, which can be accessed through key.
• Setting Transaction Metadata: A new api.transaction.setMetadata function within post-login Actions that serves as interface to set the custom key/value pairs.
• Immediate Access: Values are available immediately after being set in the calling Action and subsequent Actions.
• Values Types: Values can be boolean, number, string, or string serialization of object and array.
• Docs:
  • New docs section at: https://auth0.com/docs/customize/actions/transaction-metadata
  • Updated guidelines at: https://auth0.com/docs/customize/actions/action-coding-guidelines#actions-basics

Starting on September 11, 2025, we will be deprecating and removing the legacy, undocumented Management API Swagger Specification.

What is changing?

On September 11 2025, the endpoint path /api/v2/api-docs/ will be removed. After this date, any requests made to this path will result in a 404 Not Found error.

Why are we making this change?

Please note that this endpoint and the Swagger specification it provides were never officially documented or intended for public use. The current Swagger specification available at this endpoint is unmaintained, undocumented, and does not reflect the full capabilities of our Management API. As part of our commitment to providing robust and reliable tools, we are removing this legacy specification to prevent confusion and potential issues.

We strongly encourage all users to migrate to our officially supported OpenAPI 3.1 Specification for the Management API, which is currently in Beta. This new specification is actively maintained and provides a more accurate and comprehensive development experience.

What do you need to do?

If any of your processes are calling the /api/v2/api-docs/ endpoints, take the following steps before September 11, 2025 to ensure your applications and services continue to function without interruption:

1. Identify any systems, scripts, or CI/CD processes that access https://[your-tenant.yourdomain.com]/api/v2/api-docs/.
2. Update these systems to use our new, officially supported OpenAPI 3.1 specification. It can be accessed here: https://auth0.com/docs/api/management/v2
3. Ensure your applications are resilient to a 404 Not Found response from the old endpoint path.

If the above does not address your needs or you have additional questions, contact us using the Auth0 by Okta Support Center or Auth0 by Okta Community.

We’re excited to announce the Early Access of Native to Web SSO is now available for all enterprise customers.

With this release, developers can:

• Implement SSO from native iOS or Android apps to browser-based web apps.
• Securely issue and consume Session Transfer Tokens.
• Leverage device binding enforcement (IP or ASN) for additional security.
• Access Session Transfer Token support in Auth0 Actions.
• Use the feature across the Auth0 CLI SDK, Terraform Provider, Deploy CLI, and native mobile SDKs (iOS and Android).
• Integrate with WS-FED and SAML clients, and invoke Post Login Actions during token consumption.

📘 To get started:

Read our documentation Read the Quickstart

We're introducing a new feature that gives your end-users the flexibility to choose how they log in. Using Universal Login Custom Prompts, you can now add custom buttons to your login pages. This empowers your users to easily switch between a traditional database (password-based) connection and a passwordless (OTP-based) connection.

This update allows you to create a seamless experience where users can select their preferred authentication method directly from the login challenge screen.

For full details on this new feature, check out our documentation. To learn more about how to use custom prompts, see the custom prompts documentation.

We’re excited to announce that Multi-Resource Refresh Tokens (MRRT) is now in Early Access for all customers.

This feature allows applications to use a single refresh token to request access tokens for multiple resource servers (APIs), each with its own audience and scopes. MRRT simplifies token lifecycle management, enhances developer experience, and improves session continuity across distributed API architectures.

What’s New?

• Support for defining audience-specific refresh token policies per client
• Use one refresh token to request tokens for multiple APIs — no re-authentication required
• Compatible with rotating and expiring refresh tokens
• First-party applications only
• Management API support available today
• iOS and Android SDKs support
• Auth0 Deploy CLI and Terraform Support

Learn more

What changed: When the user's email is available, Auth0 will now send an email notification for brute‑force blocks in all identifier scenarios (e.g., phone, username), supplementing existing delivery rules.

Why it matters: Ensures users receive blocking notifications consistently even when logging in via phone or username, improving visibility and response.

To learn more about Brute Force Protection read on online documentation here

We’ve improved our bot detection model to strike a better balance between security and user experience, with specific gains for tenants whose users frequently access resources via VPN.

Highlights of this update include:

• Reduced false positives for VPN users: The model now more effectively distinguishes between legitimate users and bots, even when traffic originates from shared IPs or anonymized networks.

• Improved user experience without compromising security: These updates are designed to reduce unnecessary friction for valid users while maintaining strong defenses against automated threats.

This enhanced security capability is now available to all Enterprise customers with the Attack Protection add-on. The rollout is currently underway and will be completed over the coming weeks in alignment with individual customer release schedules.

For activation details or to learn more about protecting your applications, please refer to our documentation or contact your account team. We're committed to helping you stay secure in an evolving threat landscape.

Introducing a new capability for log streaming: PII Masking.

This feature allows customers to obfuscate (hash or mask) sensitive personal identifiable information (e.g., email address, phone number, username, etc.) within their log streams. This enhancement improves security and compliance for customers who stream their logs to data lakes or third-party tools.

Key Features:

• Customizable PII Masking: Customers can select specific PII data to be masked in their log streams.
• Enhanced Security and Compliance: This capability helps customers meet stricter compliance requirements by providing greater control over sensitive data in their logs.
• Broad Applicability: PII masking will be available for both new and existing log streams.

This update aligns with Auth0's commitment to improving customer data security and providing more customization in log stream outputs

For more information - Log Streams

We’ve added support for Cascade Revocation in Native to Web SSO.

With this new capability, revoking the original refresh token used in a Native to Web flow will now automatically revoke all dependent web sessions and their issued refresh tokens.

This helps prevent stale or orphaned sessions and ensures that once the root token is no longer valid, all downstream access is properly revoked.

What’s new:

• enable_cascade_revocation
  When enabled, revoking a native app’s refresh token also revokes all web sessions and refresh tokens created via session_transfer_token.

• enable_online_refresh_tokens
  When enabled, refresh tokens issued during a Native to Web SSO flow are tied to the lifetime of their associated session (i.e., online tokens).

Default behavior:

Both of these settings are enabled by default, even when not explicitly configured.

This means:

• All clients using Native to Web SSO today already benefit from cascade revocation.
• Web-issued refresh tokens will automatically expire when their sessions expire.

You can manage or override these settings using the Auth0 Management API.

Why it matters:

This update provides stronger guarantees around token lifecycle and session integrity across platforms:

• Prevents misuse of refresh tokens after logout or revocation
• Reduces risk from long-lived sessions in embedded web views
• Helps developers maintain a tighter, more secure cross-platform SSO experience

Learn more in our Native to Web SSO documentation

Auth0 is delighted to introduce Mexico as the latest AWS region for Private Cloud deployments.

This new region establishes our first Private Cloud presence in Mexico, directly addressing the needs of one of Latin America's largest and most dynamic digital economies. The addition of the Mexico region provides lower latency for customers throughout the country and helps meet local data residency and compliance requirements.

We remain committed to expanding our global footprint to serve our customers wherever they are in the world.

We are excited to introduce expanded passkey support for custom database connections! Now available without enabling import mode.

What’s New:

• You can now enable passkey-based authentication for custom database connections without importing or trickle-migrating users into Auth0 (i.e., with import mode turned off).
• End users can easily enroll in passkeys after their first successful login, requiring no prior passkey credentials in your external identity store.
• Passkey credentials are securely stored in Auth0, while your external identity store continues to handle all other authentication logic.

This enhancement unlocks frictionless, passkey-based login experiences for enterprises that manage user credentials outside of Auth0 - without requiring user migration or changes to existing identity architecture.

To enable the Limited Early Access release in your Auth0 tenant, contact your Technical Account Manager to request access.

We're thrilled to announce Multiple Custom Domains (MCD) support on a single Auth0 tenant bringing you simpler, more flexible branding and white-labeling. This powerful capability allows you to:

• Deliver tailored, branded experiences for your users, including customized login URLs and emails.
• Enhance security through consistent use of custom domains across end-user interactions.
• Scale B2B SaaS usage rapidly through MCD on a single tenant.

This feature is available to our Enterprise customers.

With Early Access, you'll gain robust capabilities across our Management APIs, Manage Dashboard, and our developer tools (SDKs, Terraform provider, and CLI) for MCD management. You'll find new ways to customize Email templates based on custom domain information. The solution scales effortlessly to meet rapid growth and demanding needs.

Please refer to Auth0 docs for details - Multiple Custom Domains.

Interested in participating in the Early Access program? Please send a request through the Auth0 Support Center.

My Account API Explorer is now available! Navigate to: https://auth0.com/docs/api/myaccount to try it out and help navigate & build with the new My Account API (which is in Limited Early Availability).

Using My Account, customers can build self-service management experiences at scale, powered directly from their applications.

To learn more and request access to the My Account API feature, contact your Auth0 account manager.

We are excited to announce the next Early Access release of Advanced Customizations for Universal Login! This release adds a couple of highly requested enhancements as well as support for building custom versions of Universal Login’s Consent screens using the new ACUL SDK.

Advanced Customizations for Universal Login enables you to build custom, client-rendered interfaces for Universal Login screens, allowing you to control every pixel of your Universal Login experience.

This release includes:

• A new Filters screen configuration object that allows you to set constraints around when the custom UI should be used based on the client and organization information.
• A new screen configuration parameter that allows you to use your custom page template with ACUL
• Support for building custom versions of the Consent screens
  • Consent
  • Customized Consent (used with HRI)
• A shiny new Dashboard UI for configuring ACUL screens

DX Updates

The latest versions of the ACUL SDK and Auth0’s CDT tooling include support for the new Filters and page template configurations as well as configuring the consent screens.

• Typescript SDK
• Auth0 CLI
• Deploy CLI
• Terraform Provider Auth0

We are very close to supporting for everything that Universal Login currently supports out of the box. Checkout our online documentation to learn more about ACUL and stay tuned to the Auth0 Changelog for updates and announcements!

Today, we're excited to announce the Early Access release of Right-to-Left (RTL) Language Support for Universal Login—with support for the Guardian Mobile Apps (iOS & Android) coming later this month.

This update expands Auth0’s global accessibility by enabling seamless support for RTL languages, including Arabic, Persian (Farsi), Hebrew, and Urdu—helping you deliver more inclusive, intuitive login experiences in regions where these languages are the norm. Supporting RTL languages means you can reach new markets, localize experiences with greater precision, and improve accessibility for the nearly 1 billion people who rely on RTL scripts.

Early Access includes managing RTL languages in the Admin Dashboard and API as well as previewing and editing prompt translations. Guardian support (coming later this month) will bring RTL layout rendering to identity verification and MFA workflows.

This release marks a major step forward for Universal Login. As Auth0 continues to pursue our vision of a world where anyone can safely use any technology, powered by their Identity, we are proud to partner with our customers around the world in delivering secure, inclusive, and accessible authentication experiences.

Contact your Auth0 account manager or Auth0 Support to enable Early Access on your tenant.

We are deprecating the ability to create more than one action per tenant for actions supporting custom phone or email providers and introducing a maximum limit of one action in the respective triggers:

• custom-phone-provider
• custom-email-provider

This limitation applies to the Management API create an action endpoint (POST - /api/v2/actions/actions) and can impact integrations performing direct API calls and tools like the Auth0 Deploy CLI, the Auth0 Terraform Provider, or the Auth0 CLI.

We have provided additional information and timelines for enforcing this change across tenants through a dashboard and support center notification.

We’ve upgraded our bot detection model to improve accuracy and reduce friction for legitimate users, particularly on mobile devices and evolving browser platforms.

Highlights of this update include:

• Improved interpretation of user-agent signals: The model now better handles previously unseen browser and OS versions, improving accuracy in distinguishing between legitimate users and malicious traffic.

• Reduced friction for mobile users: We've updated the model to more accurately recognize native mobile app traffic, resulting in fewer unnecessary CAPTCHA challenges for real users.

• Improved user experience without compromising security: These changes are designed to reduce false positives while maintaining robust bot detection coverage.

This enhanced security feature is available now to all Enterprise customers with the Attack Protection add-on. The rollout is currently underway and will be completed in the coming weeks, aligned with individual customer release schedules.

For activation details or to learn more about safeguarding your systems, please refer to our documentation or reach out to your account team. We are committed to supporting you in protecting your digital presence against evolving threats.

We’re excited to announce that the Okta AI-powered chatbot (Guide) Early Access offering has been enhanced with an additional data source - Security Center Metric Data. This additional capability is available only to Enterprise customers and can answer questions such as “do I have more sign up attacks this week compared to last week?”.

Availability

Guide is available to tenants in the US Public Cloud region. Within that group, Security Center Metric Data is available only for Enterprise customers. Guide will be rolled out to all Public Cloud regions in the near future.

We’re excited to announce the Early Access release of Private Key JWT Client Authentication for OIDC and Okta Enterprise Connections! Auth0 customers can now leverage a more secure and standards-based method of client authentication for their enterprise identity providers.

Until now, federated connections relied on long-lived client secrets for back-channel authentication. This feature enables signing with asymmetric keys on Okta and OIDC connections, reducing the risk of credential leakage and enabling secure key management and rotation.

While Auth0 already supports Private Key JWT when acting as the Identity Provider, this release extends that security posture to outbound enterprise connections, allowing Auth0 to securely authenticate to upstream IdPs using signed JWTs instead of shared secrets.

For complete setup instructions and more, refer to our documentation.

By using Private Key JWT Client Authentication on your OIDC and Okta Enterprise Connections, you agree to the applicable Free Trial terms in Okta’s Master Subscription Agreement and Okta’s Privacy Policy during use of the Early Access feature. The Free Trial terms can be found within the Master Subscription Agreement.

We’re excited to announce that Multi-Resource Refresh Tokens (MRRT) is now in Early Access for Enterprise customers.

This feature allows applications to use a single refresh token to request access tokens for multiple resource servers (APIs), each with its own audience and scopes. MRRT simplifies token lifecycle management, enhances developer experience, and improves session continuity across distributed API architectures.

What’s New?

• Support for defining audience-specific refresh token policies per client
• Use one refresh token to request tokens for multiple APIs — no re-authentication required
• Compatible with rotating and expiring refresh tokens
• First-party applications only
• Management API support available today
• iOS and Android SDKs support
• Auth0 Deploy CLI and Terraform Support

Learn more

We’ve added a new language option-Canadian French-to help our users in Canada and beyond build secure identity solutions more easily. If your language preference is set to Canadian French in your browser settings, Auth0 will detect this and automatically serve the Dashboard and Documentation in Canadian French. You can manually override this setting in the Auth0 Dashboard and Docs via the language switcher in the top-right corner.

What is changing?

The service will restrict access to additional property names within the event.request.query and event.request.body objects when executing actions for the post-login and credentials-exchange triggers. Tenants identified as using actions that may reference request properties planned for restriction will maintain access until September 16, 2025.

The service will restrict the following property names in the request-related objects:

• auth_session
• authn_response
• client_secret
• client_assertion
• refresh_token

Previously, the implementation of an action could access the properties listed above in event.request.query and event.request.body to retrieve the value included in the corresponding network request. Once the planned restrictions become effective for a given tenant, all properties above will be undefined independently of the network request content.

The rollout of these additional restrictions is in progress for tenants where historical data did not show any actions using these property names. Tenants identified as potentially impacted by these restrictions will maintain existing behavior until the previously mentioned date.

Why are we making this change?

By restricting access to these properties, we aim to prevent potential mishandling of sensitive data within the custom code implemented for post-login and credentials-exchange actions. For example, we reduce the risk of unintentionally logging sensitive data in log operations that may output the whole request object.

How are you affected?

If any of your tenant's current actions no longer include any reference to one of the restricted property names or that despite having references to one of the names, it is not in the context of property access to event.request.query and event.request.body objects, then these changes should not impact your tenant.

If there are actual references to restricted request properties, the restriction of these properties may impact the action's logic. After the changes become effective, accessing those request properties will always return undefined. Without revising the actions' implementation, the respective authentication flows risk partial degradation or complete failure.

What action do you need to take?

If your tenants currently have actions referencing one of the restricted properties of the event.request.query and event.request.body objects in their implementation. For applicable actions, you must update their implementation to stop relying on the restricted properties of the request objects.

The exact implementation changes you may need to perform will depend on your overall implementation of the actions and each restricted request property's usage scenario.

For example, for scenarios related to reusing secret information previously available from the request, the support for secret management (event.secrets) as part of actions may provide a potential alternative. If the requests include restricted property names, but the information sent within them is not considered sensitive, you may consider using a different parameter name in the request, or ideally, consider using custom parameters as part of pushed authorization requests to avoid disclosing/interception of the data by end-users in browser-based flows. If the data is static per client or connection, consider storing it as part of client or connection metadata.

What is changing?

We are deprecating the Real-time Webtask Logs extension with a planned end-of-life after (EOL) September 16, 2025.

As a replacement, we have published the Actions Real-time Logs feature integrated within the Auth0 Dashboard. The extension will cease to be available for new installations, but tenants with the extension already installed will maintain access until the planned EOL.

Why are we making this change?

The transition to the dashboard will improve the security posture and maintainability of the functionality, while simplifying future enhancements.

How are you affected?

For active users of the Real-time Webtask Logs extension, its scheduled removal will affect you, as the transition from extension to a direct dashboard capability inherently implies some user experience differences.

What action do you need to take?

You can start using the Actions Real-time Logs feature by navigating to Auth0 Dashboard > Monitoring > Actions Logs.

We recommend that extension users familiarize themselves with the new user interface to avoid disruption once the extension becomes unavailable.

Auth0 is excited to announce the General Availability of Private Cloud Restoration resilience enhancement. This capability would come handy in the event of customer data loss or data corruption, and would assist customers in meeting regulatory requirements such as European Union’s Digital Operational Resilience Act (DORA).

This capability allows customers to request full restoration of their production Private Cloud environment from an Auth0 backup in the last 14 days. It also includes the option for one restoration test per year on a non-production Private Cloud environment. Please refer to Operational policies documentation for more.

You can now customize the Brute-Force Protection unblock page using Universal Login. This update allows for a fully branded experience when users are locked out due to repeated failed login attempts.

What’s New?

• Branded unblock experience via Universal Login - The brute-force protection unblock page is now part of Universal Login, giving you full control over its appearance and content. This ensures a seamless, branded experience throughout the recovery flow.

• Improved compatibility with email security scanners - Account unblock now occurs when the unblock page loads rather than on clicking the unblock link. This helps prevent issues caused by email security scanners that pre-process links.

To enable these new features

Navigate to Settings > Advanced tab In the Migrations section, near the bottom of the page, disable the existing functionality with the toggle shown below

The existing Brute-Force Protection unblock page and behavior will remain available for now. However, it is planned for deprecation within the next 6 months, giving you ample time to transition to the new and improved experience at your convenience.

For more information about our Brute-Force Protection feature, see our online documentation here

Starting October 27, 2025, the offset-based pagination available for the Management API get all connections endpoint will no longer support retrieving a paginated result beyond the first 1000 connections.

Use checkpoint-based pagination to iterate beyond 1000 connections. Additional information about this upcoming change is available in a dashboard and support center notification.

We’re very excited to announce the Limited Early Availability of Native Passkey Enrollment, the first capability on our new self-service API, My Account.

Using My Account, customers can build self-service management experiences at scale, powered directly from their applications.

Native Passkey Enrollment enables users to add a passkey to their account using APIs; applications can fully manage user onboarding of passkeys. This feature is the first of many capabilities being added to My Account.

To learn more and request access to the feature, contact your Auth0 account manager.

We're excited to announce a significant upgrade to our bot detection capabilities for signups, delivering superior accuracy and staying ahead of evolving traffic patterns.

This latest model further improves our ability to distinguish legitimate new users from automated malicious activity. The result is a substantial reduction in unwanted signups, enhancing your user onboarding experience and overall platform security.

By enhancing our model training and deployment system, we can now accelerate model improvements, increase deployment frequency, and reduce detection latency, ensuring you always have the most advanced protection.

This enhanced security feature is available now to all Enterprise customers with the Attack Protection add-on. The rollout is currently underway and will be completed in the coming weeks, aligned with individual customer release schedules.

For activation details or to learn more about safeguarding your systems, please refer to our documentation or reach out to your account team. We are committed to supporting you in protecting your digital presence against evolving threats.

We’re excited to announce the Early Access release of Native to Web SSO — a new capability that enables session sharing between native mobile apps and web apps using a secure, standards-based approach. This helps create a seamless user experience where authentication in one platform (native or web) carries over to the other, without requiring a separate login.

With this release, developers can:

• Implement SSO from native iOS or Android apps to browser-based web apps.
• Securely issue and consume Session Transfer Tokens.
• Leverage device binding enforcement (IP or ASN) for additional security.
• Access Session Transfer Token support in Auth0 Actions.
• Use the feature across the Auth0 CLI SDK, Terraform Provider, Deploy CLI, and native mobile SDKs (iOS and Android).
• Integrate with WS-FED and SAML clients, and invoke Post Login Actions during token consumption.

📘 To get started:

Read our documentation Read the Quickstart

Action name editing is now available within the Auth0 Dashboard, providing developers the ability to rename existing Actions while ensuring unique names are maintained.

To rename an Action:

1. Navigate to the specific Action Details page in the Auth0 Dashboard.
2. At the Action Details page, click the edit button located next to the Action's name to make your changes.
3. Enter the new name.
4. Apply or cancel the changes.

We’ve excited to announce that Fine-Grained M2M Token Quotas is now in Early Access for Enterprise customers.

This feature allows setting hourly and daily limits on M2M access tokens at the Application and Organization level. When a quota is reached, affected Applications receive 429 responses until the quota resets. Customers can also enable or disable quotas in real time and monitor usage via tenant logs and HTTP headers.

This gives customers granular control over token issuance, helping prevent excessive consumption — especially important when APIs are exposed to Third-Party Apps or internal teams outside their direct control. It addresses common issues like missing token caching, which can lead to uncontrolled token usage, unexpected costs and imbalanced usage across Organizations.

To learn more, check out the documentation.

Reach out to you Auth0 contact to request access!

We are excited to announce the next Early Access release of Advanced Customizations for Universal Login! This release adds support for building custom versions of Universal Login’s WebAuthn + Biometrics authentication and the matching MFA and Reset Password Challenge screens, as well as Logout and a few other odds and ends, all using the new ACUL SDK.

Advanced Customizations for Universal Login enables you to build custom, client-rendered interfaces for Universal Login screens, allowing you to control every pixel of your Universal Login experience. This release allows you to building custom versions of the following screens:

• MFA WebAuthn Change Key Nickname
• MFA WebAuthn Enrollment Success
• MFA WebAuthn Error
• MFA WebAuthn Platform Challenge
• MFA WebAuthn Platform Enrollment
• MFA WebAuthn Roaming Challenge
• MFA WebAuthn Roaming Enrollment
• Reset Password MFA WebAuthn Platform Challenge
• Reset Password MFA WebAuthn Roaming Challenge
• Logout
• Logout Aborted
• Logout Complete
• MFA Recovery Code Challenge New Code
• Email Verification Result
• Login Email Verification

DX Updates

The latest versions of the ACUL SDK and our CDT tooling all include support for these new screens.

• Typescript SDK
• Auth0 CLI
• Deploy CLI
• Terraform Provider Auth0

We are well on our way to adding support for everything that Universal Login currently supports out of the box. Checkout our online documentation to learn more about ACUL and stay tuned to the Auth0 Changelog for updates and announcements!

Asynchronous authentication and authorisation using the Client-Initiated Backchannel Authentication (CIBA) flow is now Generally Available for our Enterprise plan customers. The CIBA flow works as an asynchronous, decoupled flow across two different devices:

• Consumption device: initiates the authentication request.

• Authentication device: handles end-user authentication, implemented as a custom mobile app which embeds the Guardian mobile SDK.

The flow supports the use of Rich Authorization Requests RFC9396 to provide contextual information to authenticating and/or authorizing users. This enables the CIBA flow to support a number of powerful use cases driven by backend client applications, such as:

• Customer authentication by headless devices or devices/applications with limited interaction capabilities.

• Customer authentication in call-centre scenarios.

• Authorising sensitive operations on behalf of yourself or a third-party e.g. a customer service Agent, an autonomous AI Agent.

For more details, see the product documentation.

We're excited to announce a significant enhancement to the Tenant Member Management feature within Auth0 Teams. All tenant member management tasks can now be completed centrally within the Auth0 Teams Dashboard.

Previously, we introduced tenant member management with support for inviting and assigning dashboard users to team tenants, followed by the ability to remove access from tenants directly within the Teams dashboard.

With this release, a team owner gains the comprehensive ability to perform all Create, Read, Update, and Delete (CRUD) tasks on tenant members directly from the Teams Dashboard. This streamlines administrative workflows and provides unparalleled control over user access across your tenants.

Note: The Tenant Member Management feature is required for this functionality. This feature is on by default for all Self-Service customers and most Public Cloud Enterprise customers. It is configurable for some existing Public Cloud Enterprise customers and is coming soon to Private Cloud customers.

Please refer to the following documentation for more information.

1. How do you edit a Tenant Member role from Auth0 Teams Dashboard?
2. I am a Public Cloud Customer; how do I verify that I have the suitable feature turned on to support tenant member management?

Event Streams is now available for all customers who desire to discover completed changes to Auth0 Users and Organizations as they happen. They can do this by:

• Creating an Event Stream in the Manage Dashboard or the Management API
• Configuring the Event Streams with the desired destination (Webhook or Amazon EventBridge) and selecting the events to receive

See the Auth0 Docs for further instructions.

Updating specific configuration fields for a tenant's SMTP Email Provider may require simultaneously specifying the password field used for SMTP client authentication.

We have provided additional information and timelines for enforcing this change across tenants through a dashboard and support center notification.

We're excited to announce the latest release of the Auth0 CLI! This update brings a host of improvements designed to streamline your development workflow, enhance security capabilities, and provide a more intuitive user experience.

Key Highlights:

• Improved Universal Login Customization Flow: Customizing your Universal Login pages is now more straightforward and efficient. We've refined the command-line interface to provide a smoother experience when managing templates and branding, allowing for quicker iterations and deployments.
• Support for Blocking User Authentication: Enhance your security posture with the new ability to directly block (and unblock) user authentication via the CLI. This feature provides a quick and effective way to manage access for suspicious or compromised accounts.
• Enhanced Logs and User Management Experience: We've significantly improved the experience for viewing and managing your Auth0 logs and users. Expect more intuitive commands, better filtering options, and clearer outputs, making it easier to find the information you need and perform administrative tasks.
• Better Tenant Settings Management: Managing your tenant settings is now more accessible and user-friendly. The CLI offers improved commands for viewing and updating various tenant configurations, simplifying your operational overhead.
• Extended test login Command to Support Organizations: Testing your login flow with Organizations is now easier than ever. The auth0 test login command has been extended to seamlessly incorporate organization-specific contexts, allowing for more comprehensive testing of your multi-tenant applications.
• Bug Fixes and Quality of Life Improvements: This release also includes a variety of bug fixes and other minor enhancements based on your feedback. These improvements contribute to a more stable, performant, and enjoyable experience with the Auth0 CLI.

Checkout the reference documentation for more information: https://auth0.github.io/auth0-cli/

Introducing the customizable notification text for IOS Guardian SDK. With this update, apps using the Guardian SDK on iOS can now fully customize the text of their push notifications—giving you greater control over your user experience and messaging.

Enable end users to choose a different language if the automatically selected language based on ui_locales or the browser language header is not preferred. By leveraging Auth0 Custom Prompts you can use your own HTML to customize the look and feel for how end-users perform the language selection on Universal Login. Learn more

Auth0 Developers can now easily and securely authenticate users on native applications by using the Android Credential Manager’s Sign in with Google. This enables a secure and streamlined experience for end-users to login without being prompted for a password and by re-using their existing Google session on the device. Learn more

We are thrilled to introduce the Limited Early Access release of Federated Logout for Okta and OIDC enterprise connections! Auth0 customers now have a straightforward solution to ensure that an end user is logged out of both Auth0 and OIDC IdP sessions via the Auth0 logout endpoint. This feature is built upon the OpenID Connect RP-initiated federated logout specification, allowing customers to effectively mitigate security risks without the need to directly access IdP logout endpoints.

Federated logout has already been supported for a some IdPs, listed here, as well as through the dedicated Google and Microsoft Entra ID connectors. This features expands federated logout capabilities to all OIDC Identity Providers via the generic OIDC and Okta connectors.

To enable the Federated Logout Limited Early Access release in your Auth0 tenant, please contact your Technical Account Manager to request access.

We are excited to announce the next Early Access release of Advanced Customizations for Universal Login! This release adds support for building custom versions of Universal Login’s Device Authorization screens, the MFA voice, phone, and recovery code screens, and their matching Reset Password Challenge factors all using the new ACUL SDK.

Advanced Customizations for Universal Login enables you to build custom, client-rendered interfaces for Universal Login screens, allowing you to control every pixel of your Universal Login experience. This release allows you to building custom versions of the following screens:

• Device Code Activation
• Device Code Activation Allowed
• Device Code Activation Denied
• Device Code Confirmation
• MFA Phone Challenge
• MFA Phone Enrollment
• MFA Voice Challenge
• MFA Voice Enrollment
• Reset Password MFA Phone Challenge
• Reset Password MFA Voice Challenge
• MFA Recovery Code Challenge
• MFA Recovery Code Enrollment
• Reset Password MFA Recovery Code Challenge
• Redeem Ticket

DX Updates

The latest versions of the ACUL SDK and our CDT tooling all include support for these new screens.

• Typescript SDK
• Auth0 CLI
• Deploy CLI
• Terraform Provider Auth0

We are well on our way to adding support for everything that Universal Login currently supports out of the box. Checkout our online documentation to learn more about ACUL and stay tuned to the Auth0 Changelog for updates and announcements!

Users can now enroll in Guardian Push directly from their mobile device—no QR code scanning required. Enrollment is supported in both the Guardian App and custom Guardian-powered apps, making setup faster and easier on mobile.

This feature gives developers real-time output from Action, Custom Database Scripts, and Custom Social Connections code when executing console.log and other similar commands.

To use the feature, navigate to the Dashboard > Monitoring > Action Logs.

What's new:

• Connection Status: New connectivity status indicator for easier visualization of connection state to server stream.
• Functionality: New functionalities for on demand connectivity, easier scrolling, and file downloading, which supplement the already existing ones.
• User Experience: Improved user experience regarding look and feel and performance.
• Docs: New docs section at: https://auth0.com/docs/customize/actions/actions-real-time-logs

We’re excited to introduce Token Vault, now available in Early Access. Token Vault enables your applications to securely access third-party APIs on behalf of your users—without requiring you to manage refresh tokens or create custom integrations for a broad range of external APIs and services.

With Token Vault, Auth0 handles storing and refreshing access tokens from identity providers like Google, Github, Microsoft, and more. Your applications can then seamlessly call downstream APIs—such as Google Calendar, GitHub repositories, Microsoft Word, etc.

This feature is currently only available for Public Cloud tenants. To enable the Early Access release for your Auth0 tenant, please connect with your Technical Account Manager.

For complete setup instructions and more, refer to the Token Vault documentation.

To learn about using Token Vault with Auth for GenAI, visit Call Other's APIs on User's Behalf | Auth0.

Let the API access magic unfold!

We're super excited to announce the developer beta of Auth0 MCP Server to make tenant management conversational, intuitive, and incredibly efficient for developers. Recently, Model Context Protocol (MCP) has been growing at a rapid pace and has enabled AI agents to communicate with external tools, resources, or remote services on behalf of users.

Auth0 MCP Server lets developers interface with Auth0 using natural language instead of complex APIs or dashboard navigation, dramatically simplifying tenant management workflows. For instance, developers could simply ask Claude to create a new Auth0 app, deploy a new Action, or perform any other supported management operation.

This initial release includes:

• Support for 20+ Auth0 Management operations: Create and manage applications, APIs, Actions, Logs, and Forms through simple, natural language conversations.
• Secure Authentication: Grant tenant access to your MCP clients via a secure auth flow with built-in support for scopes and session management.
• Multi-Step Management Workflows: Perform complex operations like "create an application with specific permissions and deploy a security Action" in a single conversation.
• Seamless Integrations: Native support for Claude Desktop, Windsurf, Cursor, and many other MCP clients.

Get started with a simple command: npx @auth0/auth0-mcp-server init

Learn more about the Auth0 MCP Server: https://github.com/auth0/auth0-mcp-server/

Auth0 Support Center Search now provides generative answers to search queries on Support Center. As part of this change, the answers/solutions in Support Center contain results from "Knowledge Articles" which are Auth0-created solutions to specific issues to help you troubleshoot better.

To try it out, navigate to: https://support.auth0.com/ and enter a query in the search box on the homepage. To filter results by the new Knowledge Articles, select "Knowledge" on the left-hand side.

We’re excited to announce the Developer Preview of Auth for GenAI, a new offering purpose-built for AI-native, agent-based applications.

Auth for GenAI helps developers securely integrate authentication, API access, and fine-grained authorization into GenAI-powered apps using industry standards all wrapped in developer-friendly SDKs.

This initial release includes:

• User Authentication via Universal Login (social, enterprise, passkeys, and more) with account linking
• Token Vault enabling AI agents to call APIs (Google, GitHub, Slack, etc.) on user's behalf
• Asynchronous Authorization to enable autonomous AI agents to asynchronously ask users for out-of-band authorization on sensitive actions via push notifications
• Authorization for RAG with resource-level access control powered by Auth0 FGA
• SDK support for Next.js, Node.js, FastAPI, and popular AI frameworks like LangChain, Vercel AI SDK, and LlamaIndex
• Sample apps, quickstarts, and ready-to-use templates

Explore the Developer Preview at: https://auth0.com/ai

Join the discussion at our community: https://community.auth0.com/c/auth-gen-ai

We’re excited to introduce Tenant Access Control List (ACL), a powerful new security feature that allows you to control who can access your tenant.

With the Tenant ACL, you can define custom rules to allow, block, or redirect requests based on predefined signals, helping you secure and optimize your environment with precision.

Benefits

✔ Reduce Attack Surface – Block malicious traffic before it reaches your tenant.

✔ Enhance Security – Enforce custom access policies based on IPs, geolocation, user agents, and more.

✔ Optimize Performance – Redirect traffic efficiently to improve user experience.

Early Access Availability:

Current Early Access: Available to all Enterprise customers with the Attack Protection add-on with the ability to create up to 10 access control list.

Upcoming Limited Early Access: Rolling out to all Enterprise customers in Q2 2025 with the ability to create up to one access control list.

Please view our online documentation here for additional details and to learn how to enable Tenant Access Control Lists.

We’re excited to announce that the Mobile Driver’s License Verification Service is now in Limited Early Access.

Auth0’s Mobile Driver’s License (mDL) Verification Service enables customers to enrich user profiles with trusted information during signup and login flows as well as perform ad-hoc verification and validation checks. Additionally, utilizing a digital credential can streamline processes for businesses and financial institutions while allowing end-users more control over their information.

With this feature, customers can perform ad-hoc mDL verification requests or integrate them into their existing authorization flows with our Forms widget. This Early Access release only supports the ISO/IEC TS 18013-7:2024 standard and the REST API, also known as Web API, protocol.

To enable the Limited Early Access release in your Auth0 tenant, please review the available documentation and if interested, please fill out this form to request access. We are limiting the number of customers for whom this will be enabled and will reach out to you with more details. If you have any feedback, give us a shout in our community channel!

Auth0 is excited to announce new enhancements to the Self-Service SSO experience:

Self-Service SSO Ticket Creation in the Dashboard

Tenant admins can now generate SSO tickets directly from the Manage Dashboard, removing the need for API access. This update simplifies the process for all teams and makes it easier to experiment, configure, and roll out federated SSO integrations.

Enhanced SAML Configuration Options

Tenant admins can now configure whether IdP-Initiated SSO is allowed at the time of ticket creation. Additionally, in the wizard, IT admins have the option to choose whether authentication requests should be signed, offering more flexibility and control to meet varying security and compliance needs.

These updates enhance accessibility, security, and ease of use. Learn more about Self-Service SSO in the product documentation.

We are excited to announce that we are expanding our US public cloud offering with a brand new environment! prod-us-5 is a testament to our growth and provides a big capacity boost to onboard new Auth0 Public Cloud customers.

This new public cloud environment supports all the standard Auth0 Authentication and Management capabilities in a highly secure, resilient, and scalable deployment infrastructure.

All US Public Cloud customers who are using IP allow list to permit outbound traffic from Auth0 are advised to update their firewall rules with the latest info at their earliest convenience.

We’ve added Domain Verification to the Self-Service SSO workflow — making it easier and more secure for your customers to manage their SSO setup.

Simpified & Secure

Your customers can now verify domains directly within the Self-Service SSO wizard, reducing manual steps and ensuring only trusted domains are used for Home Realm Discovery (HRD). This strengthens security and eliminates the need for external verification workflows.

Flexible Configuration Options

As a tenant admin, you have control over how domain verification is enforced when creating Self-Service SSO tickets:

• Off – Domain verification is hidden from the wizard
• Optional – Customers can choose to skip verification and still enable connections
• Required – A domain must be verified before enabling the connection

This gives you the flexibility to balance user experience and security based on your customers' needs.

Learn more about Self-Service SSO in the product documentation.

By using Self-Service SSO Domain Verification, you agree to the applicable Free Trial terms in Okta’s Master Subscription Agreement and Okta’s Privacy Policy during use of the Early Access feature. The Free Trial terms can be found within the Master Subscription Agreement at https://www.okta.com/agreements.

We are excited to announce the next Early Access release of Advanced Customizations for Universal Login! This release adds support for building custom versions of Universal Login’s Organizations screens, the MFA TOTP screens, and the matching Reset Password Challenge factors all using the new ACUL SDK.

Advanced Customizations for Universal Login enables you to build custom, client-rendered interfaces for Universal Login screens, allowing you to control every pixel of your Universal Login experience. This release allows you to building custom versions of the following screens:

• Accept Invitation
• Organization Selection
• Organization Picker
• MFA OTP Enrollment QR
• MFA OTP Enrollment Code
• MFA OTP Challenge
• Reset Password MFA OTP Challenge
• Reset Password MFA Email Challenge
• Reset Password MFA Push Challenge Push
• Reset Password MFA SMS Challenge

DX Updates

The latest versions of the ACUL SDK and our CDT tooling all include support for these new screens.

• Typescript SDK (includes a breaking change, see the changelog for migration steps)
• Auth0 CLI
• Deploy CLI
• Terraform Provider Auth0

We are well on our way to adding support for everything that Universal Login currently supports out of the box. Checkout our online documentation to learn more about ACUL and stay tuned to the Auth0 Changelog for updates and announcements!

We’ve updated our bot detection model to improve accuracy and keep up with evolving traffic patterns.

• Improved detection: The new model is more effective at identifying and stopping bot activity.

• More computationally efficient: Updated architecture enables more efficient decision-making.

• Trained on fresh data: Reflects the latest trends in traffic to better spot malicious behavior.

This enhanced security capability is now available to all Enterprise customers with the Attack Protection add-on. The rollout is currently underway and will be completed in the coming weeks, aligned with individual customer release schedules.

For details on activation or to learn more, please refer to our documentation or reach out to your account team. We are here to support you in protecting your systems against evolving threats.

The Auth0 Dashboard allows customers to reset the code for a Custom Provider when they click the Reset button. Previously, this experience was different across Custom Email and Phone Provider in both the behavior of the button and the text displayed throughout the reset process. This behavior has been fixed, and now the reset functionality is consistent across both features.

Auth0 Customers have historically struggled to easily discover changes to the User Lifecycle (user create, updated or deleted), by relying on suboptimal solutions such as Actions or Logs.

Event Streams changes this: customers can now subscribe to events that trigger each time there is a change in the User Lifecycle, regardless of the connection the customer was created, and route those events to either a Webhook or AWS EventBridge.

Auth0 is now accepting Beta Testers to this new feature. See the Auth0 Docs for further instructions.

This feature gives developers better observability regarding Actions execution errors both at the Auth0 Dashboard and external Log Stream Platforms.

Here's a summary of the key points:

• Execution Error Handling: The feature captures the unhandled Actions execution errors and facilitates them as Tenant logs.
• Event Log Type: There is a new Event Log Type regarding Actions execution errors that can be visualized at the Dashboard > Monitoring > Logs.
• Log Streams: The new event log type is also sent through Log Streams.
• Log Stream Filter: There is a new Log Stream Filter focused on Actions execution errors.

We’ve added a new language option-Japanese-to help our users in Japan and beyond build secure identity solutions more easily. If your language preference is set to Japanese in your browser settings, Auth0 will detect this and automatically serve the Dashboard and Documentation in Japanese. You can manually override this setting in the Auth0 Dashboard and Docs via the language switcher in the top-right corner.

Integrating Auth0 Guardian into your iOS projects is now easier than ever with Swift Package Manager (SPM) support! With this update, you can seamlessly add Guardian authentication directly in Xcode—no manual setup required.

Credential Guard is now supported for Private Cloud on Azure customers!

This enhancement brings:

• 🔍 Proactive Threat Hunting – A dedicated security team infiltrates criminal communities and gains access to breach data that isn’t otherwise available–enabling detection of compromised passwords within 12–36 hours instead of the traditional months
• ⏱ Faster Detection – Detects breaches 250% faster than standard automated solutions
• 🌍 Expanded Coverage – Automates breached password detection coverage in over 200+ countries and territories, ensuring that users worldwide receive consistent, localized protection.

For additional details and to learn how to enable Credential Guard, please view our online documentation here.

We’re excited to announce that Custom Phone Providers and the Unified Phone Experience are now Generally Available.

Custom Phone Providers: With this feature, customers can configure custom phone providers and customize phone messages not only when leveraging phone number as an identifier, but also when using MFA and Passwordless! Auth0’s CI/CD tooling (Auth0 CLI, Deploy CLI, and Terraform Provider) now fully supports Custom Phone Providers. To access these new capabilities, upgrade to the latest versions of Auth0 CLI, Deploy CLI, and Terraform Provider.

We encourage you to get started with Custom Phone Providers today by checking out our documentation and if you have any feedback, give us a shout in our community channel!

Unified Phone Experience: The Unified Phone Experience offers a consolidated experience where you can configure a tenant-level phone provider that will be used for Phone as ID, MFA, and Passwordless flows. Additionally, the management of phone templates will be centralized on a single page. This unification aims to reduce redundancy across Auth0 features and present a more streamlined user experience. The unified experience will be the default for any new tenants created after this release, and existing tenants will have the ability to revert to the legacy experience if desired.

We encourage you to try out the new Unified Phone Experience and provide feedback and questions to us through our community channel. Information on how to migrate to the new experience can be found here.

We're improving both account security and user experience by extending Breached Password Detection to the password reset flow.

🔹 What’s New?

Previously, users could unknowingly reset their passwords to compromised credentials, creating security risks and potentially requiring another reset.

With this update, you can now prevent users from setting their password to a known breached credential during the reset flow -just like during sign-up and login.

Additionally, with this rollout we have also increased coverage of Breached Password Detection on Sign-Up to cover the Management API!

🚀 Benefits

Stronger security – Protects against compromised credentials at every stage.

Better user experience – Avoids unnecessary password resets by blocking breached passwords upfront.

This update helps prevent your users from using known compromised credentials throughout their password lifecycle, giving your users stronger security on their accounts.

For additional details and to learn how to enable Breach Password Detection on Password Reset Flows, please view our online documentation here.

This feature allows developers to ensure their custom database scripts are compatible with specific Node.js runtime versions.

Here's a summary of the key points:

• Bulk Testing Compatibility: The feature can test the compatibility of custom database scripts with different supported Node.js runtime versions.
• Database Connections Limit: It is available if your tenant has 1 to 10 database connections with custom database scripts enabled.
• Navigation Path: The feature can be accessed by going to Tenant Settings → Advanced → Extensibility → Verify Custom DB Scripts.

Actions Based on Results: After testing, the results can be verified and corrective actions can be taken if any compatibility issues are identified.

Checkout our online documentation to learn more about Extensibility Tenant Settings!

We are excited to announce the next Early Access release of Advanced Customizations for Universal Login! This release adds support for building custom versions of Universal Login’s MFA enrollment screens and 3 of our most common MFA factors using the new ACUL SDK.

Advanced Customizations for Universal Login enables you to build custom, client-rendered interfaces for Universal Login screens, allowing you to control every pixel of your Universal Login experience. This release allows you to building custom versions of the following screens:

• MFA Detect Browser Capabilities
• MFA Begin Enroll Options
• MFA Enroll Result
• MFA Login-options
• MFA Email List
• MFA Email Challenge
• MFA Country Codes
• MFA SMS Enrollment
• MFA SMS List
• MFA SMS Challenge
• MFA Push Welcome
• MFA Push Enrollment QR
• MFA Push List
• MFA Push Challenge Push

We are well on our way to adding support for everything that Universal Login currently supports out of the box. Checkout our online documentation to learn more about ACUL and stay tuned to the Auth0 Changelog for updates and announcements!

We have deprecated the Node.js 12 and 16 extensibility runtimes in all environments and recommend using the Node.js 22 runtime for your extensibility integrations (such as Actions, Rules, Hooks, Custom Database Connections, and Custom Social Connections).

We have provided additional information and timelines for removing the deprecated runtimes through a dashboard and support center notification.

We have deprecated the invalidation of user sessions when performing database connection user update (PATCH - /api/v2/users/{id}) requests where:

• The email or email_verified attributes are set to an unchanged value;
• The email_verified attribute is set to a true value.

These changes allow for consistent behavior between setting an email as verified through the Management API and the built-in email verification flows provided by the service. In addition, it improves the overall end-user experience by avoiding session invalidation in situations that do not require it, such as setting either the email or email_verified attributes to unchanged values.

The dashboard will be updated with a migration toggle to opt out of the deprecated behavior ahead of its future end-of-life; we have provided additional information and timelines for enforcing this change through a dashboard and support center notification.

End User TOTP enrollment for Native devices is now more intelligent! For end users enrolling into a TOTP factor on a mobile device, Auth0 skips the QR code and prompts for manual code entry with the QR code as a fall back option. Check out Auth0 Temporary OTP for more detail!

We are excited to introduce the Usage Metrics Dashboard in Okta Fine-Grained Authorization (FGA), providing customers with deeper visibility into their authorization usage. This new dashboard, available under the “Manage Account” section of the Okta FGA dashboard, helps teams monitor, analyze and manage their FGA consumption efficiently.

What’s New?

• Monitor Key Metrics: Track Monthly Active Users (MAUs), Total Tuple Count, and Monthly Average Requests Per Second (RPS). Time Frame Selection: View trends over the Last Month or Last 3 Months, with the current month’s data always included for the latest insights.

• Granular Data Views: Click on “View Table” option to see a detailed breakdown of usage by store and time period.

• Hourly Updates: Data is refreshed hourly to help you make informed decisions.

Learn More:

Check out the documentation for details on how to use the dashboard effectively.

Email OTP Verification is now Generally Available (GA), minor improvements will continue to roll out over the next 1-4 weeks to enhance performance and usability.

With Email OTP Verification, users are required to enter a One-Time Password (OTP) sent to their email during the signup or password reset process. This ensures email verification happens before account creation or password reset is completed, offering enhanced security and reducing the chances of mistyped or fake email accounts.

Key Highlights:

• Synchronous Email Verification: Prevents account creation or password reset until users verify their email via OTP.
• Improved Security: Helps prevent fake accounts, ensures accurate email addresses, and discourages phishing through email links.
• Applicability: Available for both email verification during signup and password reset challenges.

Prerequisites:

• Must be using Universal Login.
• Connection must have Flexible Identifiers enabled.
• Email OTP is only compatible when using the Identifier First Authentication Profile.

To enable this feature, navigate to the Attributes tab on any connection and change the Verification Method under the Email attribute settings from Verification Link to OTP.

At Auth0, we understand that no two customer identity stories are the same. Every company has a brand identity, a secret sauce, and a unique aesthetic vision. Today, we are very excited to introduce the next evolution in customization for Universal Login, Advanced Customizations for Universal Login (ACUL). ACUL enables your team to build custom, client-rendered versions of each Universal Login screen, allowing you to control every pixel of the Universal Login experience.

This Early Access release of ACUL is available to all paid customers. Public cloud customers can start using it today! Those on private cloud will be enabled as part of their regular release cycle. This initial EA release provides a new configuration API, CDT and SDK support, and allows you to build custom versions of the following screens:

• Login
• Login Id
• Login Password
• Login Passwordless Email Code
• Login Passwordless SMS OTP
• Signup
• Signup Id
• Signup Password
• Passkey Enrollment
• Passkey Enrollment Local
• Phone Identifier Enrollment (used for identity verification during Signup)
• Phone Identifier Challenge (used for identity verification during Signup)
• Email Identifier Challenge (used for identity verification during Signup)
• Interstitial Captcha
• Reset Password
• Reset Password Email
• Reset Password Request
• Reset Password Error
• Reset Password Success

The following flows and capabilities are supported in ACUL EA:

• Single step Signup & Login with password and social & enterprise connections
• ID First Signup/Login using password, passwordless email/SMS OTP, passkeys, and social & enterprise connections
• Basic Reset Password flow with and without Bot Detection
• Flexible Identifiers with and without identity verification enabled during Signup
• Bot detection with any of our 7 supported Captcha providers during the Signup, Login, and Reset Password flows
• Capturing additional data during Signup and Login using custom prompts

This is just the beginning! In the coming months, we will be adding support for every screen and capability that Universal Login currently supports out of the box, a shiny new Dashboard UI for configuring ACUL, and lots more DX goodness!

Checkout our online documentation to learn more about ACUL and stay tuned to the Auth0 Changelog for updates and announcements!

We are thrilled to announce the Early Access release of Custom Token Exchange. Enterprise customers can now request access to use this feature.

Token Exchange is an OAuth grant-type that enables the exchange of security tokens for other security tokens, typically access_tokens. Custom Token Exchange provides a flexible solution using Actions that allows customers to provide their custom logic to control the exchange - i.e. effectively providing the means to implement custom authentication semantics using Actions.

This added flexibility can be used by customers to tackle advanced integration use cases, such as:

• Seamlessly migrating users to Auth0
• Integrating external IDPs
• Exchanging Auth0 tokens for a different audience
• ... and other use cases where regular federation and/or OIDC flows are not an option

To learn more, read our documentation.

Reach out to you Auth0 contact to request access!

Auth0 is delighted to introduce Hyderabad as the latest AWS region for Private Cloud deployments.

Hyderabad follows Mumbai as the second AWS region for Auth0 Private Cloud available in India! This new addition unlocks reduced latency and increased flexibility for Auth0 deployments on AWS. We stand committed to meeting our customers’ data residency and resiliency needs in an ever expanding global market.

Customers now have Enhanced Rate Limit Reporting via Logs, including:

• Increased Rate Limit Log (api_limit) Publishing Frequency: receive 1X per minute notifications indicating when you have exhausted a rate limit.
• New Rate Limit Warning Log (api_limit_warning): receive 1X per minutes notifiactions indicating when you have exhuasted 80% of your rate limit request token allocation.
• Enhanced Logs Schema: additional attributes of HTTP path and method and bucket size will be included to allow for easier mapping between Logs and API Rate Limit Configuration Docs. https://auth0.com/docs/troubleshoot/customer-support/operational-policies/rate-limit-policy/rate-limit-configurations

We’re thrilled to announce that Auth0 now supports Universal Logout integration with Okta Workforce Identity Cloud!

Okta Universal Logout is based on the Global Token Revocation specification and allows security incident management tools Okta Identity Threat Protection to send back-channel requests to revoke users' sessions and refresh tokens when they identify a change in risk.

With this feature, Auth0 customers federating with Okta Workforce Identity using the Okta, SAML, or OpenID Connect connection types no longer need to build a global token revocation endpoint. Instead, with minimal configuration required, they can provide the Okta admin with Auth0’s connection-specific endpoint URL.

This integration provides security benefits for apps that depend on refresh tokens and Auth0 sessions, as both are revoked when Auth0 receives a Universal Logout request for a user. This integration can also trigger Auth0's OIDC back-channel logout feature to terminate custom application sessions.

To learn more about Universal Logout support in Auth0, click here.

This feature will be rolled out to all public cloud environments over the next few days and to private cloud environments as per their release pipeline.

We are excited to introduce the Per-Module Authorization feature. This enables large organizations to securely share authorization models by specifying which application credentials can update data for specific modules.

Teams that are responsible for their own separate services can now limit access to modification of authorization data on a per-module basis. Last year, we released Modular Models, where a single model could be separated into modules across multiple files, allowing teams to use features in their source code management platforms (such as GitHub’s CODEOWNERS feature) to enforce access on who can modify parts of a model.

Per-Module Authorization builds on top of that work to further define permissions for applications. Workflows can be implemented where different teams maintain their portion of an FGA model independently and also ensure that the services and applications owned by the respective teams can only modify their own authorization data.

For more details, refer to Okta FGA’s documentation on how to grant client credentials access to only specific modules.

We are excited to announce the next major version of Next.js SDK. With the introduction of nextjs-auth0 v4, we now support Next.js 15 and React 19, allowing developers to leverage the latest features and improvements in both frameworks. This compatibility not only enhances the development experience but also ensures that applications can take full advantage of performance optimizations. This updated SDK features a simplified architecture and is edge-compatible by default, enhancing performance and flexibility for developers.

What’s new:

• Middleware-Based Authentication: Improved compatibility and reduced maintenance by moving to middleware-based handlers.
• Enhanced Security: Switched to encrypted cookies and removed outdated cookie logic.
• Resolved State Mismatch Issues: Fixed long-standing issues reported by the community.
• Improved Session Management: Implemented rolling sessions and eliminated cookie chunking.
• Improved Hooks and Helpers: Introduced useUser(), getAccessToken(), and getSession() for easier data fetching and session handling.
• Stateful Sessions with Custom Databases: Support for "Bring Your Own Database" (BYODB).
• Compatibility with Next.js 15, Turbopack, and React 19
• Simplified architecture, API, and configuration options

Learn More:

• Quickstart
• Migration Guide

What’s Changing: We are improving the Dashboard configuration experience for email providers. The default From address field will be required when creating or updating email provider configuration through the Dashboard. Customers do not need to take immediate action, and the Management API will maintain the field as optional for backward compatibility.

Key Dashboard Updates:

1. Configuring New Email Providers: Customers must supply a default From address when configuring a new email provider.
2. Changing Existing Email Providers: Customers must supply a default From address when updating an existing email provider. Existing configured email providers that do not have a From address configured will continue to work as before.

Why This Matters: An email provider configured without a default From address may lead to a poor user experience because email template customizations are not supported when a customer-defined From address is unavailable. By requiring a default From address at the email provider level, email template customizations will be respected even if the email template does not have a template-specific From address.

Rollout Timing: We plan to roll out this change in the coming days. After the rollout, customers can expect to see the enforcement of this required field on the Dashboard.

We’re excited to announce that Custom Email Providers is now Generally Available.

With this feature, customers can configure custom email providers and customize emails so they can have full control of the email delivery process. This feature utilizes the Actions framework and leverages the Actions Code Editor so you can more completely manage, monitor, and troubleshoot your email communications. Auth0’s CI/CD tooling (Auth0 CLI, Deploy CLI, and Terraform Provider) now fully supports Custom Email Providers. To access these new capabilities, upgrade to the latest versions of Auth0 CLI, Deploy CLI, and Terraform Provider.

We encourage you to get started with Custom Email Providers today by checking out our documentation and if you have any feedback, give us a shout in our community channel!

This Beta feature logs in real-time output form your custom Actions code. This includes all console.log output and exceptions.

For example, a custom Action code such as below:

console.log("Hello world!");

Will show up within Dashboard > Monitoring > Actions Logs as

You can also use examples such as below to catch and log errors for making it easy to debug and troubleshoot your Actions.

try {
  nonExistentFunction();
} catch (error) {
  console.error(error);
  // Expected output: ReferenceError: nonExistentFunction is not defined
  // (Note: the exact output may be browser-dependent)
}

These logs are not stored and are only available within the dashboard when you are logged in and are on the Dashboard > Monitoring > Actions Logs tab within the browser. These logs are designed to help you troubleshoot as you write or modify your custom Actions code.

Node.js 22 is now generally available (GA) as a runtime for your extensibility integrations (such as Actions, Rules, Hooks, Custom Database Connections etc).

New Actions created will now default to Node 22 as the runtime. As part of this release, we have also split runtime selection for Legacy Extensibility (for Rules & Hooks) separate from the general Extensibility (for Custom Database Scripts & Custom Social Connections). These setting are available within Tenant > Settings > Advanced and allows you to individually manage desired runtime configuration as required.

Please refer to our docs for more details on how to migrate to Node 22.

We are delighted to announce that support for the Client-Initiated Backchannel Authentication (CIBA) flow is now available in Early Access.

The CIBA flow works as a decoupled authentication flow across two different devices:

• Consumption device: initiates the authentication request.
• Authentication device: handles end-user authentication, implemented as a custom mobile app which embeds the Guardian mobile SDK.

The CIBA flow supports a number of powerful use cases driven by backend client applications, such as:

• Customer authentication by headless devices or devices with limited interaction capabilities.
• Customer authentication in call centre scenarios.
• Authorising sensitive operations on behalf of yourself or a third-party e.g. a customer service agent.

To evaluate CIBA for securing your sensitive customer interactions, contact your Technical Account Manager. For more details, check out our product documentation.

We’ve added the Organization ID to the Auth0 Tenant Logs for the Successfully revoked a refresh token (srrt) event. This enhancement allows you to correlate the organization associated with the revoked refresh token for improved tracking and auditing.

We have increased the max secret value length from 2048 to 4096 to allow for larger secrets to be stored within Actions.

You can refer to our docs for further details on Actions limitations.

We're excited to introduce the new 10,000 RPS (100x) tier for Auth0 Private Cloud Performance offering on AWS. This enhanced tier supports a higher volume of authentication requests, complementing the existing 30x and 60x tiers for customers who need high performance thresholds.

Please see Private Cloud documentation to learn more.

The new Bot Detection ML model designed to detect signup attacks is now available for Classic Login and Custom Login implementations.

For customers using Classic or Custom login experiences, this enhancement leverages advanced machine learning to identify and block automated signup attacks effectively.

For those using New Universal Login, no configuration changes are required. This feature was rolled out for New Universal Login in September, as highlighted in the changelog here.

Below is the demo showcasing how to enable this feature in Auth0 for Classic and Custom Login experiences.

This enhanced security capability is now available to all Enterprise customers with the Attack Protection add-on. The rollout is underway and will be completed in the coming weeks, aligned with individual customer release schedules.

For details on activation or to learn more, visit our documentation or reach out to your account team. We’re here to support you in protecting your systems against evolving threats.

Introducing a new capability within the Security Center Dashboard offering - Security Center Alerts for Thresholds Early Access. This new feature expands on the Security Center metrics and Thresholds to allow Enterprise customers to not only monitor their tenant security but also receive notifications when a threat metric exceeds their predefined thresholds. Customers can now configure webhook alert notifications on security threat metrics and monitor when threats exceed the acceptable value.

To learn more Alerts for Thresholds, click here

Auth0 is pleased to announce the Early Access (EA) of enhanced support for customer data recovery. This resilience feature is available to a set of Private cloud customers during EA. It would come handy in the event of customer data loss or data corruption, and would assist customers in meeting regulatory requirements such as European Union’s Digital Operational Resilience Act (DORA).

Customer will be able to request restoration of their production Private Cloud space from a backup within the past 14 days. Please refer to Operational policies documentation for details.

We’re excited to announce that all Customizable Email Templates have been styled with a modern look and feel and are now live!

No verbiage or content has been changed on any of the emails and customers that have customized the email templates are unaffected.

Single Sign On (SSO) allows one set of credentials to access multiple resources through a centralized identity provider (IdP). Auth0 Teams security policies allows team owners to configure and implement authentication rules that adhere to their organization's IT security policies for access to infrastructure systems or applications.

Announcing in beta the ability for team owners to self-configure and connect their IdP to provide SSO for dashboard administrators.

Auth0 Teams Self-Service SSO beta is currently limited to Public Cloud Enterprise customers.

Interested in the BETA? Reach out to your Technical Account Manager to enrol in our beta program.

Announcing General Availability of Auth0 Dashboard Login Session Management. A feature that allows Auth0 Dashboard admins to view and revoke active dashboard sessions for an added layer of security to the session idle timeout for both our Public and Private Cloud customers.

Click here to learn more about Auth0 Dashboard Login Session Management.

We’re excited to announce that we’ve increased the number of metadata slots for Organizations from 10 to 25! This enhancement provides you with more flexibility to store and manage additional data within your organization, enabling a more customized and efficient approach to your workflows.

To learn more about Organizations, click here.

We are delighted to announce that Customer Managed Keys is now generally available. This solution within the Highly Regulated Identity solution suite enables organizations to comply with cryptographic key-related security policies for data protection. Customer Managed Keys provides customers with two options for key management: Control Your Own Key and Bring Your Own Key.

With Control Your Own Key, you can manage the lifecycle of the Tenant Master Key according to your security policy. Bring Your Own Key allows you to maintain ownership of the Root Key that protects the encryption key hierarchy. These features enable compliance with cryptographic key-related security policies for data protection.

You can read more about this in our product documentation.

We added a new API command available in the Password Reset / PostChallenge trigger. This API allows Tenant Developers to specify the url to redirect a user to upon the completion of a password reset on Universal Login.

Here is an example of using the command to redirect the user to a sample url after a successful password reset:

  exports.onExecutePostChallenge = async (event, api) => {
    api.transaction.setResultUrl('https://yourapp.yourdomain.com/profile');
  };

You can learn more in our reference documentation.

We’ve introduced a new Batch Check endpoint to the Okta FGA API, allowing clients to batch multiple authorization checks into a single request. This enhancement reduces the network latency associated with previously needing to performing multiple Check API requests in parallel, resulting in faster and more efficient requests for applications with high authorization demands.

For more details, refer to the Okta FGA Batch Check documentation.

We’re thrilled to announce that our fourth-generation Bot Detection has been upgraded to incorporate additional aggregated tenant-level insights. This upgrade strengthens bot detection across both public and private cloud environments, providing a more precise and robust defense against malicious activity while ensuring a seamless and secure experience for all users.

This enhanced security capability is now available to all Enterprise customers with the Attack Protection add-on. The rollout is currently underway and will be completed in the coming weeks, aligned with individual customer release schedules.

For details on activation or to learn more, please refer to our documentation or reach out to your account team. We are here to support you in protecting your systems against evolving threats.

Auth0 is excited to announce that Self-Service SSO is now in General Availability.

Our Self-Service SSO feature is designed to simplify and streamline the administrative tasks that are essential for every B2B SaaS product. By equipping your business customers to configure their own Single Sign-On setups, we provide them with a seamless, intuitive experience—eliminating the need for complex IT involvement. This flexibility not only enhances security but also improves the overall user experience, giving businesses more control and agility while reducing overhead.

This feature is available for B2B Professional, Enterprise and Enterprise Premium customers.

Click here to learn more.

We have transitioned the Rules and Hooks features to a read-only mode in all public cloud environments as part of their announced deprecation plan.

You can still disable, delete or re-enable an existing Rule or Hook. You can also add or remove Rules settings (for updating stored secrets) or Hook secrets but you will no longer be able to modify their script.

If this impacts you, our recommendation is to migrate to Actions. Refer to the following docs for more details:

• Migrate Rules to Actions
• Migrate Hooks to Actions

Hello everyone,

We're thrilled to announce the beta release of nextjs-auth0 SDK v4! This new version brings significant improvements, new features, and fixes to enhance your development experience.

Important Notice About v3

As we move forward, we will not be updating v3 of the SDK to support Next.js 15. This allows us to focus on v4, which offers a wealth of new features and improvements. This will also enable us to support future releases of Next.js faster and with more confidence. We understand this may pose challenges, and we're here to help.

v3 will continue to receive critical security updates for 6 months after the GA of v4.

Highlights of v4 Beta

• Middleware-Based Authentication: Improved compatibility and reduced maintenance by moving to middleware-based handlers.
• Enhanced Security: Switched to encrypted cookies and removed outdated cookie logic.
• Resolved State Mismatch Issues: Fixed long-standing issues reported by the community.
• Improved Session Management: Implemented rolling sessions and eliminated cookie chunking.
• Improved Hooks and Helpers: Introduced useUser(), getAccessToken(), and getSession() for easier data fetching and session handling.
• Stateful Sessions with Custom Databases: Support for "Bring Your Own Database" (BYODB).
• Compatibility with Next.js 15, Turbopack, and React 19
• Simplified architecture, API, and configuration options

Try It Out and Provide Feedback

We invite you to explore the beta release and share your feedback to help us improve before the general availability release. We are currently targeting a general availability release by the end of December.

Beta Release: v4.0.0-beta.3

Need Help with Migration?

If you encounter challenges migrating to v4, please don't hesitate to open an issue and our team will assist you. We're committed to making the transition as smooth as possible.

Thank You for Your Support

We appreciate your understanding as we focus on making v4 the best it can be. Your feedback is invaluable, and we're here to support you every step of the way.

Happy coding! 🚀

— The Auth0 DX SDK Team

We are excited to announce that our fourth-generation Bot Detection has been upgraded with user-agent signals, and is now integrated into our proprietary machine learning model. This enhancement improves our capability to detect and thwart bot activity, further strengthening protection against malicious traffic without adding any additional friction for legitimate users.

This security feature is available to all Enterprise customers with the Attack Protection add-on. We are currently rolling out this enhancement and expect to complete the process within the next few weeks, aligned with your individual release schedules.

For activation details or further information, please check our documentation or reach out to your account team. We’re here to support you in safeguarding your systems against evolving threats.

Thank you for trusting us with your security needs.

Auth0 is excited to announce the following updates to Self-Service SSO:

1. Custom Introduction Text: You can now customize the welcome message on the wizard's landing screen, aligning the experience with your brand’s tone and engaging users right from the start.
2. PingFederate Support: We've expanded our list of supported Identity Providers (IdPs) to include PingFederate, giving you more flexibility in your authentication options.
3. Revoking SSO Access Tickets: Our new API endpoint lets you revoke SSO access tickets at any time.
4. Updated Ticket Expiration: Access tickets are now consumed only when a connection is created, enabled or edited — like when updating SAML or OIDC details — avoiding issues with scanners opening them prematurely.
5. Customized Login Experience: When creating a ticket, you can now define the login experience — adding optional parameters for Home Realm Discovery, Organization Auto-Membership, and more to tailor every step of the way.

To learn more, see the Self-Service SSO documentation.

Actions now supports the following APIs within the post-login trigger.

• api.samlResponse.setRelayState(relayState)
• api.samlResponse.setIssuer(issuer)

You can see all available API methods supported within the post-login trigger along with details on these methods from this link.

The possibility to scope machine-to-machine access to a specific organization is now Generally Available. This feature allows you to define the organizations that a given application can access for each API via the Client Credentials Flow.

You can easily define and enforce access to one, many, or all the organizations in your tenant and securely expand the reach of your SaaS APIs to more use cases and scenarios, making sure sensitive data and operations are only accessible to authorized parties. After configuring the access rights for your API, you simply have to inspect the org_id in access tokens of incoming requests, independently of whether they come from third-party applications or your own applications.

This feature is available for B2B Professional, Enterprise and Enterprise Premium customers.

To learn more, read the reference documentation.

Auth0 is delighted to launch Private Performance Burst AWS - 30x (3000 RPS*) and 60x (6000 RPS) offerings for Private Cloud deployments on AWS.

These cost-effective Private Performance options scale the Authentication traffic up to 3000 RPS and 6000 RPS respectively for 80 hours a month, and allow usage up to 1500 RPS and 3000 RPS respectively for the remaining duration.

The elevated transaction capacity comes handy for planned and unplanned traffic spikes, e.g. during product launches, large media events, seasonal activities, and unpredictable usage peaks.

The Private Performance Burst offering is just another milestone in our commitment to providing the functionality and flexibility our beloved customers need.

Please refer to Private Performance Burst documentation page for more information.

*RPS: Requests Per Second

The Okta FGA authorization modeling language allows defining conditions that can be used to express certain ABAC authorization policies. Previously, if you wanted to take advantage of that feature you needed to use the Okta FGA API or the FGA CLI.

Now, with the Okta Fine Grained Authorization Dashboard, you can create conditional relationship tuples and specify context parameters in assertions, making it easier to fully define ABAC-like conditions directly within the dashboard.

For more details, refer to the Okta FGA dashboard documentation.

The Google Workspace Enterprise connection now supports an Extended Group Attribute Format option. When selected, group memberships are written to the Auth0 user profile as an array of JSON objects containing the group unique ID, group name, and group email address for each group retrieved from Google.

For more information, see Connect Your App to Google Workspace.

This feature is immediately available in the public cloud and will be rolled out to private cloud environments in the next few weeks as per the release pipeline.

Auth0 is excited to introduce the following updates to Self-Service SSO:

1. Tenant admins now have the ability to choose which IdPs to display when their customers are setting up an SSO profile through the set up wizard, making the entire process more efficient and customizable.
2. We've added support for Keycloak expanding the available IdPs.
3. When no user attributes exist in the SSO profile, we skip the Claims Mapping instructions in the SSO wizard.
4. When testing the connection, the JSON has been formatted to show on multiple lines.

To learn more, see the Self-Service SSO documentation.

We’re excited to announce that Custom Phone Providers in is now in Early Access.

With this feature, customers can configure custom phone providers and customize phone messages associated with using phone number as an identifier. Using a custom phone provider for MFA and passwordless phone messages is planned for a later release.

This early access release enables you to:

• Configure your preferred phone provider for phone messages
• Leverage various contexts for using different providers, including organization, client, user, and more

We encourage you to get started with Custom Phone Providers today by checking out our documentation and if you have any feedback, give us a shout in our community channel!

In our continuing effort to improve our security posture, Auth0 will no longer retain closed support tickets older than 24 months. Closed support tickets older than 24 months will be deleted on October 16. To view your support tickets, you can navigate to https://support.auth0.com/tickets . For questions or issues on this change, please reach out to Support.

Auth0 is delighted to introduce the United Arab Emirates (UAE) as the latest AWS region for Private Cloud deployments.

We are committed to enhancing our presence in the Middle East. The UAE joins Bahrain as the second AWS region for Auth0 Private Cloud in this part of the world. This expansion opens up new possibilities in the UAE, where Private Cloud deployment is already supported on Azure.

What’s Changing:

We are improving the user experience when adding or updating identifiers (email, phone number, or username) in profiles.

Key Updates:

1. New Identifier: When a new identifier type (email, phone, or username) is added to a user profile where one does not already exist, the user’s session will not be terminated. This allows for a smoother progressive profiling experience, where users can add new identifiers without disruption.
2. Changing Existing Identifier: When an existing identifier is modified, the user’s session will terminate, and the user will have to re-authenticate. This ensures security best practices are followed when updating key account information.

Why This Matters: Previously, any update to an identifier (whether adding or changing it) would terminate the user’s session. This could lead to a poor experience, especially during progressive profiling, where users are expected to update or add information without being logged out. With this update, customers can offer a seamless experience for users adding new identifiers while maintaining strict security for changes to existing identifiers.

Rollout Timing: This change will be rolled out progressively over the next 1-4 weeks. Customers can expect to see the updated session handling behavior in their environments during this period.

Action Required: No immediate action is required from customers, but it is recommended to review any user flows that involve the addition or modification of identifiers to ensure they align with this change.

Okta CIC is excited to announce that Universal Login now satisfies out of the box or provide configurability to satisfy the guidelines for the EN 301 549 standard. We have updated our VPAT to include this information and it is available on Okta.com. By ensuring that Universal Login is accessible to all users, we enable our customers to confidently secure their applications with accessible authentication.

See our online documentation for more details.

We have introduced Email OTP Verification as a new method for email verification, available in Early Access. Expect to see the feature in your environments within the next 1-4 weeks.

With Email OTP Verification, users are required to enter a One-Time Password (OTP) sent to their email during the signup or password reset process. This ensures email verification happens before account creation or password reset is completed, offering enhanced security and reducing the chances of mistyped or fake email accounts.

Key Highlights:

• Synchronous Email Verification: Prevents account creation or password reset until users verify their email via OTP.
• Improved Security: Helps prevent fake accounts, ensures accurate email addresses, and discourages phishing through email links.
• Applicability: Available for both email verification during signup and password reset challenges.

Prerequisites:

• Must be using Universal Login.
• Connection must have Flexible Identifiers enabled.
• Email OTP is only compatible when using the Identifier First Authentication Profile.

To enable this feature, navigate to the Attributes tab on any connection and change the Verification Method under the Email attribute settings from Verification Link to OTP.

We are happy to announce that we just added two new endpoints to our Session Management APIs:

POST /api/v2/users/{id}/revoke-access – This endpoint allows you to revoke sessions for a user and decide if you want to revoke the associated Refresh Tokens.

POST /api/v2/sessions/{id}/revoke – This endpoint will revoke the session and all its related Refresh Tokens.

Please refer to the Auth0 Management API for more information.

Auth0 Actions dashboard experience & documentation has been updated to consolidate around the concept of "Triggers" (as opposed to our previous mix of Flows and Triggers). A trigger represent points in the Auth0 process where Actions can be added.

We believe this change will make it easier for you to identify available customization options (now simply labelled as triggers) and how they can be leveraged to personalize your identity needs.

Please note that this change does not have any impact on the current functional behaviour of Actions within Auht0.

Continuous Session Protection is now generally available for enterprise customers, providing powerful tools to dynamically manage Sessions and Refresh Tokens within Auth0 Actions. This feature offers flexible options to configure expiration settings, access additional session and token data, and revoke sessions when necessary, enhancing security and control.

Key benefits of Continuous Session Protection include:

• Dynamic Session and Token Expiration: Configure custom absolute and idle timeouts for Sessions and Refresh Tokens using the new setExpiresAt(Date) and setIdleExpiresAt(Date) methods. These settings can be applied across users, organizations, or specific connections to meet your security and compliance needs.
• Enhanced Security with Revocation: Revoke Sessions and Refresh Tokens programmatically using Actions, based on custom logic or risk assessments. This allows you to take immediate action when suspicious behavior is detected or when tokens no longer meet your security policies.
• Comprehensive Session and Token Insights: Access additional session and refresh token attributes within Actions, enabling you to make more informed, data-driven decisions for managing user sessions.
• These features allow enterprise customers to dynamically improve their security posture by customizing session behavior, enforcing shorter expiration times for high-risk roles (such as administrators), and revoking tokens when necessary to mitigate risks.

To learn more, visit the product documentation: Continuous Session Protection

We're happy to announce SaaStart: a complete B2B SaaS reference application built using Next.js, Radix UI and Auth0 by Okta. Clone the repo to get a head start on the capabilities that you'll need to support enterprise customers of your SaaS app - like multi-tenant user management and access controls, security policies, self-service Single Sign-On configuration and more...

Give us a holler in the Auth0 community if you have any questions!

Passwordless Connection Support

Universal Login now supports customizing the passwordless signup and login authentication flows, allowing customers to address their unique data capture, security, and compliance requirements when users authenticate with email and SMS one-time passwords.

See our online documentation for more information, instructions and examples.

Dev Tooling support for the Partials API

Auth0’s CI/CD tooling (Auth0 CLI, Deploy CLI, Terraform Provider) now fully supports the Partial API including the new Passwordless prompts. As a bonus, Partials can now also be edited using Auth0 CLI’s UL Customize interface. Run auth0 ul customize in your terminal to see it in action. To access these new capabilities, upgrade to the latest versions of Auth0 CLI, Deploy CLI, and Terraform Provider.

You are now able to individually test a Custom Database script for a specific Node runtime version.

This will help to validate script changes against a target runtime version before you modify the default global tenant configuration for Extensibility runtime.

You can read more about how to use this feature in our documentation.

We’re excited to announce that support for Okta Universal Logout in Okta Customer Identity Cloud is now in Limited Early Access!

Okta Universal Logout is based on the Global Token Revocation specification and allows security incident management tools Okta Identity Threat Protection to send back-channel requests to revoke application users' sessions and refresh tokens when they identify a change in risk.

With this feature, customers who use Okta Workforce Connections in Auth0 no longer need to build their own Global Token Revocation endpoints to support Universal Logout. Simply enable it for your Okta Workforce connection and provide the endpoint URL to the Okta Workforce administrator.

To enable the Limited Early Access release in your Auth0 tenant, please contact your Technical Account Manager to request access.

We’re excited to announce that Forms is now generally available in Okta Customer Identity Cloud!

This new feature allows you to extend your login and signup flows with additional steps and business logic.

What's new:

1. Pass data between Forms and Actions: now you can easily inject server-side data from Actions to Forms, and use the collected data in Forms in your Actions.
2. New form components: custom fields components to create your own fields UI with code, image block to personalize your form adding logos or images, and HTML block to customize it with code.
3. Organizations support: forms now inherit organization branding, and there is available context data about the organization you're using.
4. Management API: create and manage forms using the Management API.
5. Other changes: added new templates, rich text editor improvements, and new masking options for your flows.

Learn more:

• Product documentation.
• Templates.
• Blog Post.

We’re excited to announce the introduction of support for multiple Self-Service SSO profiles! This new feature allows you to customize Self-Service SSO profiles configurations to meet your diverse needs, including different required attributes and branding. With this update, you can now tailor SSO setups more precisely to fit your company's unique requirements.

Learn more about Self-Service SSO in the product documentation.

Within the Security Center Dashboard offering, customers can now set metric thresholds. This new feature provides Enterprise customers with an enhanced proactive capability around the various Security Center monitors they track. Customers can now configure thresholds on security threat metrics and monitor when threats exceed the acceptable value. The feature is available in all Public cloud environments and rolling out to Private spaces throughout the next few weeks.

We are excited to announce that our Bot Detection feature has been upgraded with a new machine learning model specifically designed to detect and prevent signup attacks. This enhancement integrates advanced ML capabilities into our proprietary Bot Detection system, significantly improving the identification of fraudulent account creation attempts.

This feature is currently available in the New Universal Login experience, providing added security for customers utilizing our latest UI. For customers using the Classic Login or custom UI, we are evaluating options to extend these capabilities in the future.

As always, to activate Bot Detection or if you require more detailed information, please visit our online documentation or contact your account team. We are here to assist you in ensuring your systems remain secure against evolving threats.

We are pleased to announce that developers using Okta FGA now have a way to specify their required consistency level when querying Okta FGA.

To minimize latency, Okta FGA uses two levels of caching that can result on permissions changes not being reflected in authorization queries for up to 20 seconds.

All query APIs (Check, Read, ListObjects, ListUsers, Expand) now have an additional optional parameter with two possible values:

• MINIMIZE_LATENCY (default): Okta FGA will try to minimize latency (e.g. by making use of the cache)
• HIGHER_CONSISTENCY: Okta FGA will try to optimize for stronger consistency (e.g. by bypassing cache)

When using HIGHER_CONSISTENCY, latency will be higher as Okta FGA will ready directly from the database. Developers need to make the trade off between consistency and latency depending on the use case.

All SDKs were updated with support for the new parameter.

You can learn more in the Okta FGA documentation.

Okta FGA has now two deployment options: public cloud and private cloud. The public cloud option is a multi-tenant SaaS service available in three geographies: the United States, Europe, and Australia, offering a highly available multi-region deployment. The private cloud option, on the other hand, is tailored for enterprises seeking dedicated resources. Okta FGA Private Cloud leverages the same architecture principles that have been battle-tested with Auth0 for over two years.

Private Cloud for Okta FGA has the following benefits:

• Higher RPS: Private cloud instances are optimized for high request-per-second (RPS) performance, scaling up to five times the average RPS based on your application’s needs.
• High Availability: Okta FGA for Private Cloud is always deployed in two AWS regions with active-active data replication, minimizing the chances of being impacted by an AWS region outage.
• Data Residency and Compliance: Deploy your Private Cloud environment in any AWS region to meet specific data residency and compliance requirements. Initial regions include the US, Germany, Ireland, UK, France, Japan, India, Singapore, Australia, and Brazil.
• Reduced Latency: Choose the AWS region closest to your application servers, which will significantly reduce latency for faster access control checks.
• Multi-Geography Deployments: Businesses can replicate the same authorization data across multiple regions worldwide, allowing them to maintain low-latency authorization services even for globally distributed applications. For example, a company can have the same data in the US, EU, and Australia, have their authorization data replicated across all regions, and have their applications routed to the closest region.
• Automated, Hardened Release: Benefit from automated weekly releases that are previously validated in Okta’s public cloud deployments.
• Centralized Management: Customers can manage both private and public cloud instances seamlessly from the Okta FGA dashboard.

Learn more in the product documentation.

Prioritized Log Streams is now Generally Available (GA)

Now, Enterprise customers can stream a predefined set of security risk-related log events through a dedicated architecture with higher confidence. Customers can stream events to SIEM tools, monitor, and take action on Security events without interruption when there is an attack on the customer’s tenant or abnormally high user activity.

The feature is available in all Public cloud environments and rolling out to Private spaces throughout the next few weeks.

Introducing a new capability within the Security Center Dashboard offering - Security Center Thresholds Early Access. This new feature provides Enterprise customers with an enhanced proactive capability around the various Security Center monitors they track. Customers can now configure thresholds on security threat metrics and monitor when threats exceed the acceptable value. The feature is available in all Public cloud spaces and will roll out to private spaces with the General Availability announcement.

Following on the objective to improve the capabilities to dynamically manage Sessions and Refresh Tokens, we are happy to announce that we have added new methods to control the expiration of Sessions and Refresh Tokens using Actions.

Now you can control the absolute and inactivity timeouts with the new setExpiresAt(Date) and setIdleExpireAt(Date) methods, available for post-login Action objects api.session and api.refresh_token.

They can be used in different use cases, for example, you can improve your security posture by enforcing shorter expiration times for administrators, specific Connections or Organizations.

To learn more, read our public docs: Sessions with Actions and Refresh Tokens with Actions.

They are now available in Private Early Access. If you are an Enterprise customer, please reach out to your Technical Account Manager (TAM) to request access.

We’re excited to announce that Self-Service SSO on Customer Identity Cloud, powered by Auth0 is now in Early Access.

This capability aims to streamline the administrative tasks that are critical for every B2B SaaS product. Our Self-Service SSO feature, provides our business customers' customer with a flexible, user-friendly experience for configuring their own single sign-on setups.

These capabilities are now available in Early Access. If you are a B2B Professional or Enterprise customer, please reach out to your Auth0 account contact to request access.

Starting February 23rd, 2025, Auth0 will begin removing the ability to use the legacy, non-compliant UI for Universal Login. The new WCAG compliant version ensures that end users, including those who rely on assistive technology, can access and engage with a customer’s product or service. Read our Universal Login Accessibility documentation for more information.

We're excited to announce the Early Access launch of Guide - an Okta AI powered chatbot here to answer your questions about the Auth0 platform.

What is Guide?

Guide is your new go-to for quick answers on all things Auth0. It pulls information from our docs, blog, and community to provide summarized responses and relevant links. You can access Guide by clicking the "Ask Guide" button in the top-right of your Auth0 Dashboard. Just ask your question and let Guide do the work.

Availability

Guide is available to tenants in the US Public Cloud region. Guide will be rolled out to all Public Cloud regions in the near future.

Today, we've reduced the minimum character requirement for Organization Name and Organization Display Name from 3 to just 1 character. Plus, our Organization search has been updated to return exact matches for queries with fewer than 3 characters.

Okta CIC is happy to announce the next major version of the React Native SDK. With react-native-auth0 v4, developers will be able to use advanced biometric authentication to obtain credentials. This new SDK version also makes it possible to switch between domains for authentication. We’re planning to release a GA version later in Q3 with major improvements to the SDK architecture and other new features.

What’s new

1. Advanced Biometric Authentication: Use FaceID/Fingerprint to perform device authentication before obtaining credentials.
2. Domain Switching: Dynamically switch domain/clientID to offer a personalised and contextual authentication experience.

Learn More

1. Migration Guide
2. Implementation Guide: Advanced Biometric Authentication
3. Implementation Guide: Domain Switching

Okta CIC is excited to announce that Universal Login now satisfies out of the box or provide configurability to satisfy the Web Content Accessibility Guidelines (WCAG) version 2.2 AA! We have published our VPAT and it is available on Okta.com. By ensuring that Universal Login satisfies the WCAG guidelines, we enable our customers to confidently secure their applications with accessible authentication.

See our online documentation for more details.

Introducing a new Log Stream and Security capability, Prioritized Log Streams.

Now, Enterprise customers can stream a predefined set of security risk-related log events through a dedicated architecture with higher confidence. Customers can stream events to SIEM tools, monitor, and take action on Security events without interruption when there is an attack on the customer’s tenant or abnormally high user activity.

This feature is rolling out to public cloud spaces throughout the next couple of weeks

The Auth0 Changelog now contains Release Version Numbers where applicable!

Now, Private Cloud customers can view & filter for a specific version within the Changelog directly. Additionally, Private Cloud customers can view an environment's current version and next version from within the Auth0 Support Center on the 'Private Instances' page and link directly to any feature releases in the Changelog that may be applicable to that version number.

Public Cloud customers are not impacted by this change and should continue to use the Auth0 Changelog as they normally do.

Have you ever wondered, as a user of the Auth0 platform, how many active sessions you have for the different Auth0 dashboard applications across your multiple devices? Introducing Auth0 Dashboard Login Session Management, allowing Auth0 Dashboard admins to not only view all active dashboard sessions but also the ability to revoke them. This beta feature provides an added layer of security to session idle timeout for our Public Cloud customers.

What has changed?

We have deprecated the "Support Access" Role so that the only tenant member role that now has access to the “Subscription Tickets” feature within the Auth0 Support Center are those with the new Elevated Support Access role within the Role Based Access Control (RBAC) feature in the Auth0 Management Dashboard. The Subscription Tickets feature in Support Center allows access to view and manage all tickets created by all users across a tenant. The current ‘Support Access’ role is now deprecated.

Tenant Administrators do not automatically inherit the new ‘Elevated Support Access’ role and will need to explicitly add themselves to the role via the Auth0 Management Dashboard to continue to have access to view and manage all tickets across their tenant(s) via the Subscription Tickets feature. Tenant Administrators and all tenant members will still have access to the Auth0 Support Center to create and manage their own tickets without adding any additional roles.

Why did we make this change?

In order to increase the security of the Auth0 Support Center, the ‘Subscription Tickets’ feature will be tied specifically to the new Elevated Support Access role so that access is not automatically inherited by all Tenant Admin users. This prevents roles from being able to see tickets they did not create without explicitly granting them access to do so.

How are you affected?

Tenant Administrators no longer have access to view and manage all tickets for your tenant on the ‘Subscription Tickets’ page in the Auth0 Support Center unless the Elevated Support Access role is added to their user. You will still be able to access the Auth0 Support Center and create & manage the support tickets you created.

What action do you need to take?

If you have a paid subscription, you can add yourself and any other users who need to see/manage all tickets (even those they did not create) across the tenant to the new Elevated Support Access role from the Auth0 Management Dashboard. You should also review who currently has the legacy ‘Support Access’ role assigned and determine if they should be removed and/or added to have the new Elevated Support Access role.

If you are currently on a Free plan, there is no action required and this communication is to inform you that you will only be able to view and manage support tickets that you created.

How can you get additional assistance?

We are here to help. Contact us by using the Auth0 by Okta Support Center.

The Log Stream filters have been updated with a new filter category. This category complements the SCIM GA announcement and streams out only SCIM tenant logs when SCIM is enabled on the tenant. Through this capability, customers can monitor the full details of all the SCIM requests that Auth0 receives and get notified when a user is created, updated, or deleted using SCIM.

This feature is immediately available in the public cloud and will be rolled out to private cloud environments in the next few weeks as per the release pipeline.

Deleting a Team Member from the Teams dashboard removes access to Teams and now deletes the team member from all team tenants they are a member of. However, if you just want to remove access to one or more tenants, you can now do so from the Team Member's details page.

Note: Tenant Member Management feature is required. This feature is on by default for all Self Service customers but is configurable for Public Cloud customers and is coming soon for Private Cloud customers.

Please refer to the following documentation for more information.