developers

June 2025 in Auth0: Security, Control, and New Integrations

June delivered robust Auth0 updates focusing on enhanced security, greater control over authentication flows, and improved integration capabilities for developers.

Jul 8, 20255 min read

June delivered a robust set of updates for developers, focusing on enhanced security, greater control over authentication flows, and improved integration capabilities. From powerful new token management and authentication methods to smarter bot detection and a clearer path for managing your Auth0 configurations, this month's releases are designed to help you build more secure and efficient identity solutions.

If you're building with Auth0, these updates will help you simplify complex authentication patterns, harden your applications against threats, and give you more granular control over user experiences.

Let’s dig in!

What's New

Native to Web SSO – Now in Early Access

This new capability is a game-changer for mobile and web app developers. It enables seamless session sharing between native mobile apps and web apps using a secure, standards-based approach, meaning users can authenticate once and maintain their session across platforms without re-logging in.

Native to Web SSO Authentication Flow

Highlights:

  • Seamless session carry-over from iOS/Android to browser
  • Uses secure, signed session tokens with device binding
  • Integrated with Actions, CLI, Terraform, and SDKs
  • Works with SAML, WS-FED, and Post Login Actions

Learn more

Multi-Resource Refresh Tokens (MRRT) – Now in Early Access

Tired of juggling refresh tokens for every API? Now you don’t have to.

MRRT lets your app use a single refresh token to get new access tokens for multiple APIs. This simplifies lifecycle management and improves developer UX.

Highlights:

  • One refresh token → multiple APIs
  • Define audience-specific token policies
  • Works with expiring + rotating refresh tokens
  • Available in Management API, Deploy CLI, Terraform, iOS/Android SDKs

Perfect for microservices, distributed APIs, or mobile/web hybrids.

Learn more

Enhanced Bot Detection for Signups

The improved model now recognizes more legit users, especially on mobile and new browsers, with fewer false positives and unnecessary CAPTCHA prompts.

Highlights:

  • Smarter handling of user-agent signals (new OS/browser versions)
  • Native mobile traffic is now better recognized
  • Enhanced security with lower friction

Available to Enterprise customers with the Attack Protection add-on.

Learn more

Passkey Enrollment via My Account – Limited Early Access

Native Passkey Enrollment is here via our new My Account API. Your app can now offer seamless passkey onboarding, directly from your UI.

Highlights:

  • Full passkey management via API
  • Built for native + web flows
  • First of many new capabilities on the self-service My Account platform

Learn more

Customize the Brute-Force Protection unblock page with Universal Login

You can now custom-brand the unblock page for Brute-Force Protection using Universal Login. This update allows for a fully branded experience when users are locked out due to repeated failed login attempts.

Highlights:

  • Branded unblock experience via Universal Login
  • Improved compatibility with email security scanners

Learn more

Deprecations

Multiple actions for custom phone and email provider triggers

If you use the Management API create an action endpoint, we are deprecating the ability to create more than one action per tenant for actions supporting custom phone or email providers and introducing a maximum limit of one action in the respective triggers:

  • custom-phone-provider
  • custom-email-provider

Read more

Removal of Access to Specific Event Request Properties in Actions

Starting September 16, 2025, the service will restrict access to additional property names within the event.request.query and event.request.body objects when executing actions for the post-login and credentials-exchange triggers.

Request-related objects:

  • auth_session
  • authn_response
  • client_secret
  • client_assertion
  • refresh_token

Read the details

Community and Events

Where we were in June

June was packed with dev-first events where we shared real-world lessons in auth, AI, and secure system design:

Where we’ll be in July

We're heading into July with a strong presence across developer, identity, and cloud-native events — from keynotes in Europe to hands-on engagements in Asia Pacific and the U.S.

  • DWX 2025 (June 30 – July 3, EMEA) – Moe presents "From the Crypt to the Code", diving into secure coding and modern auth strategies
  • WeAreDevelopers World Congress (July 9–11, EMEA) – Come say hi at the booth and watch sessions by:
    • Moe - "The Cake Is a Lie... And So Is Your Login’s Accuracy", unpacking real-world login flaws and how to build trust in AI-era authentication
    • Deepu K Sasidharan "Delay the AI Overlords: How OAuth and OpenFGA Can Keep Your AI Agents from Going Rogue"
  • AWS Summit New York (July 16, AMER) – Our team will be on the ground connecting with cloud builders about secure identity at scale

Planning to attend? Reach out! We’d love to meet you and hear what you’re building.

Expect talks, demos and plenty of real-world tips on building secure, AI-aware, and scalable identity experiences.

That’s a wrap on July! We’ll be back next month with more dev-first updates.

Until then:

Stay secure.
Keep shipping.
We’re here if you need us.