--- title: "June 2025 in Auth0: Security, Control, and New Integrations" description: "June delivered robust Auth0 updates focusing on enhanced security, greater control over authentication flows, and improved integration capabilities for developers." authors: - name: "Ana Cidre" url: "https://auth0.com/blog/authors/ana-cidre/" date: "Jul 8, 2025" category: "Developers,Whats New" tags: ["sso", "universal login", "passkey"] url: "https://auth0.com/blog/june-2025-in-auth0-new-foundations-secure-connections-and-smarter-protection/" --- # June 2025 in Auth0: Security, Control, and New Integrations June delivered a robust set of updates for developers, focusing on enhanced security, greater control over authentication flows, and improved integration capabilities. From powerful new token management and authentication methods to smarter bot detection and a clearer path for managing your Auth0 configurations, this month's releases are designed to help you build more secure and efficient identity solutions. If you're building with Auth0, these updates will help you simplify complex authentication patterns, harden your applications against threats, and give you more granular control over user experiences. ***Let’s dig in!*** ## What's New ### Native to Web SSO – Now in Early Access This new capability is a game-changer for mobile and web app developers. It enables seamless session sharing between native mobile apps and web apps using a secure, standards-based approach, meaning users can authenticate once and maintain their session across platforms without re-logging in. ![Native to Web SSO Authentication Flow](https://images.ctfassets.net/cdy7uua7fh8z/4gFE2RP5ZCEcukiNF3Gpae/f957034f63c36d5a11f6a64d988c00e9/sequence-diagram.png) Highlights: * Seamless session carry-over from iOS/Android to browser * Uses secure, signed session tokens with device binding * Integrated with Actions, CLI, Terraform, and SDKs * Works with SAML, WS-FED, and Post Login Actions [Learn more](https://auth0.com/changelog#72JltARfrooqHBmkuTzb8d) ### Multi-Resource Refresh Tokens (MRRT) – Now in Early Access Tired of juggling refresh tokens for every API? Now you don’t have to. [MRRT](https://auth0.com/docs/secure/tokens/refresh-tokens/multi-resource-refresh-token) lets your app use a single refresh token to get new access tokens for multiple APIs. This simplifies lifecycle management and improves developer UX. Highlights: * One refresh token → multiple APIs * Define audience-specific token policies * Works with expiring \+ rotating refresh tokens * Available in Management API, Deploy CLI, Terraform, iOS/Android SDKs Perfect for microservices, distributed APIs, or mobile/web hybrids. [Learn more](https://auth0.com/changelog#46knYejnHFSYMc59ijmGjz) ### Enhanced Bot Detection for Signups The improved model now recognizes more legit users, especially on mobile and new browsers, with fewer false positives and unnecessary CAPTCHA prompts. Highlights: * Smarter handling of user-agent signals (new OS/browser versions) * Native mobile traffic is now better recognized * Enhanced security with lower friction Available to **Enterprise customers with the Attack Protection add-on**. [Learn more](https://auth0.com/changelog#2CLx9gZ1YB1nfO59QqH8po) ### Passkey Enrollment via My Account – Limited Early Access **Native Passkey Enrollment** is here via our new **My Account API**. Your app can now offer seamless passkey onboarding, directly from your UI. Highlights: * Full passkey management via API * Built for native \+ web flows * First of many new capabilities on the self-service My Account platform [Learn more](https://auth0.com/changelog#eW4GjQ2zYshqK7593Z1LW) ### Customize the Brute-Force Protection unblock page with Universal Login You can now custom-brand the unblock page for Brute-Force Protection using Universal Login. This update allows for a fully branded experience when users are locked out due to repeated failed login attempts. Highlights: * Branded unblock experience via Universal Login * Improved compatibility with email security scanners [Learn more](https://auth0.com/changelog#3EQxapnmbIRlkDlyIxGc6S) ## Deprecations ### Multiple actions for custom phone and email provider triggers If you use the Management API [create an action endpoint](https://auth0.com/docs/api/management/v2/actions/post-action), we are deprecating the ability to create more than one action per tenant for actions supporting custom phone or email providers and introducing a maximum limit of one action in the respective triggers: * `custom-phone-provider` * `custom-email-provider` [Read more](https://auth0.com/changelog#3x8aOrDhj5zKgYWA4e7EeD) ### Removal of Access to Specific Event Request Properties in Actions Starting September 16, 2025, the service will restrict access to additional property names within the `event.request.query` and `event.request.body` objects when executing actions for the post-login and credentials-exchange triggers. Request-related objects: * `auth_session` * `authn_response` * `client_secret` * `client_assertion` * `refresh_token` [Read the details](https://auth0.com/changelog#3FKFF7m36s3iNW64RA9xSP) ## Community and Events ### Where we were in June June was packed with dev-first events where we shared real-world lessons in auth, AI, and secure system design: * [dev_day(25)](https://developerday.com/) – Our virtual event for AI agents and identity fundamentals. Sessions available on-demand, [watch now](https://developerday.com/agenda). * [Frontend Nation](https://www.ai.engineer/) – [Ramona Schwering (Moe)](https://auth0.com/blog/authors/ramona-schwering/) shared frontend security best practices * [AI Engineering World's Fair](https://www.ai.engineer/) – Exploring auth for agent workflows * [AWS Summit Hamburg](https://aws.amazon.com/events/summits/hamburg/) – with [Juan Cruz Martinez](https://auth0.com/blog/authors/juan-cruz-martinez/) at the booth answering questions * [React Summit](https://reactsummit.com/) – Moe on modern identity in React * [VLCTechFest](https://vlctechfest.org/es/) – [Carla Urrea Stabile](https://auth0.com/blog/authors/carla-stabile/) joined Spain’s open-source community * [Open Source Summit North America](https://events.linuxfoundation.org/open-source-summit-north-america/) – Carla on FGA * [AWS Summit Japan](https://aws.amazon.com/jp/summits/japan/) – with [Daizen Ikahara](https://auth0.com/blog/authors/daizen-ikehara/) at the booth answering questions * [Vercel Ship](https://vercel.com/ship) – with Juan at the booth answering questions * [A Night Of AI (NYC) Mini Tech Conference](https://www.aicamp.ai/event/eventdetails/W2025062315) – with Juan talking about AI agents and practical tooling * [RenderATL](https://www.renderatl.com/) – Auth0 at the booth and participating in panel discussions with Netlify ![Auth0 at RenderATL](https://images.ctfassets.net/23aumh6u8s0i/7DQYTIytz6S1joIFxOwLZi/9ffb9fbe36e0c2ae389f2bb6f8a43954/Screenshot_2025-07-07_at_1.17.33_PM.png) ### Where we’ll be in July We're heading into July with a strong presence across developer, identity, and cloud-native events — from keynotes in Europe to hands-on engagements in Asia Pacific and the U.S. * [DWX 2025](https://www.developer-world.de/dwx) (June 30 – July 3, EMEA) – Moe presents *"From the Crypt to the Code"*, diving into secure coding and modern auth strategies * [WeAreDevelopers World Congress](https://www.wearedevelopers.com/world-congress) (July 9–11, EMEA) – Come say hi at the booth and watch sessions by: * Moe - *"The Cake Is a Lie... And So Is Your Login’s Accuracy"*, unpacking real-world login flaws and how to build trust in AI-era authentication * [Deepu K Sasidharan](https://auth0.com/blog/authors/deepu-sasidharan/) *"Delay the AI Overlords: How OAuth and OpenFGA Can Keep Your AI Agents from Going Rogue"* * [AWS Summit New York](https://aws.amazon.com/events/summits/new-york/) (July 16, AMER) – Our team will be on the ground connecting with cloud builders about secure identity at scale Planning to attend? Reach out! We’d love to meet you and hear what you’re building. Expect talks, demos and plenty of real-world tips on building secure, AI-aware, and scalable identity experiences. That’s a wrap on July\! We’ll be back next month with more dev-first updates. Until then: **Stay secure.** **Keep shipping.** **We’re here if you need us.**