Auth0 Enterprise plans can now use OIDC Back-Channel Logout capabilities for Session Management in their production tenants. This allows you to implement responsive single-logout experiences for end-users, avoiding limitations imposed by third-party cookie browser restrictions and setting the foundation for remote logout capabilities.

When configured, any SSO application can leverage the session identifier (sid) included in ID Tokens to react to the session termination events received in OIDC Back-Channel Logout Tokens.

The feature is available upon opt-in request to all enterprise plans and will be automatically enabled by default soon after.

You can learn more about it in https://auth0.com/docs/authenticate/login/logout/back-channel-logout

Six new languages are now available as supported translations for Universal Login:

• Basque: eu-ES
• Catalan: ca-ES
• Galician: gl-ES
• Norwegian: no
• Norwegian Nynorsk: nn
• Welsh: cy

For additional information on languages and localization, see the online documentation.

We are excited to announce that the Guardian App supports localization. The app is available, as an authenticator, to deliver push notifications to a user’s pre-registered device (mobile phone or tablet). In addition to English - US (en-us), we support French - Canada (fr-ca), French - France (fr), Portuguese - Brazil (pt-br), and Spanish - Argentina (es-ar). Users can select the language in the app setting; the default is based on the user's registered device setting.

You can learn more about the Guardian App in our public docs.

Beginning October 16th, 2023, Rules & Hooks will no longer be available to new tenants. Actions is our offering which unifies all the extensibility of Rules and Hooks and more. For existing users of Rules & Hooks, these features will no longer be available as of November 18th, 2024.

To learn more about migrating to Auth0 Actions, read this migration guide.

Auth0 Enterprise customers on Converged Platform can now use Security Center, a new security feature that provides real time monitoring of potential security events. It provides a more proactive approach to our customers on understanding and tweaking their attack protection program, and further strengthen the security posture with real-time monitoring capability of common attack types and metrics on the current attack protection features.

The feature will be rolled out in stages to all Enterprise customers using Private and Public Cloud on the Converged Platform beginning on May 4, 2023.

Security Center includes trends on common threat behaviors- including credential stuffing attacks, sign up attacks, and MFA bypass attacks. It also provides threat monitoring capability on our current attack protection program - including Bot Detection, Brute-force Protection, Suspicious IP Throttling and Breached Password Detection. The threat monitoring tool helps our customers understand the current attack trends on their tenant traffic, and then implement countermeasures by enabling and tweaking the Auth0 Attack Protection feature sets.

To learn more, please refer Security Center in the Auth0 Docs.

Auth0 now supports Private Key JWT in General Availability, a more secure and flexible way to authenticate your Auth0 Apps:

• Enhance security by generating asymmetric public/private key pairs for use as credentials. Once you register the public key with Auth0, you use the private key to sign the request sent to the Authentication API for a more secure experience.
• Renew credentials seamlessly with key rotation. Have two keys active simultaneously for zero downtime.

Private Key JWT is our first protocol capability shipped to enable FAPI compliance for Financial Grade APIs and other Highly Regulated Identity scenarios. Stay tuned for further updates!

Private Key JWT is available to customers on the Enterprise subscription plan. To activate, visit the new Credentials tab within the Auth0 Dashboard or the Management API. The main Auth0 SDK also support this new App Authentication Method. Read our Auth0 Docs to learn more.

The Auth0 Developer Experience team is in the process of deprecating the following repos:

• express-oauth2-bearer | migration guide
• angular-auth0 | migration guide
• auth0-cordova | migration guide

These libraries will no longer be supported after their end of life date. For express-oauth2-bearer, the EOL date is June 30, 2023. For angular-auth0 and auth0-cordova, the EOL date is October 31, 2023. Please make plans to remove these libraries from any active projects before these dates. For each repo we have also provided a migration guide to further assist you.

If you have any questions or concerns, please reach out to us on GitHub.

Auth0 is excited to announce the release of an enhanced search experience on the Auth0 Support Center. Now you can search and filter across Auth0 Docs, Auth0 Community, and Auth0 Blog in a single place without leaving Support Center.

We've added Adaptive MFA Risk Ratings Score in Actions to all environments!

Developers today can effectively use event.authentication.riskAssessment for adaptive MFA risk score and leverage the details about risk assessments obtained during the login flow in PostLogin@v3 trigger.

To learn more about this feature, visit our doc site. As we are adding values to Actions, we encourage all customers to move from Rules/Hooks to Actions starting today.

Announcing the general availability release of Auth0 CLI v1, a significant milestone moving Auth0 CLI from an experimental build to an officially supported tool, offering a range of powerful features and enhancements tailored to streamline your Auth0 development process. Key highlights include an improved authentication process, allowing you to authenticate as a user via device flow or as a machine with client credentials; the new 'api' command for making authenticated HTTP requests to the Management API directly; and over 70 other improvements, feature enhancements and bug fixes.

To learn more and start building with Auth0 CLI, check out our Release Notes on GitHub. If you are coming from a previous version of Auth0 CLI, please refer to the v1 Migration Guide as this release includes breaking changes.

Organization Membership added to User Search 🕵️‍♀️

In order to support our customers with multi-tenant applications, we’ve updated User Search to support the organization_id parameter so that you can search for and filter users based on their Organization membership. This is available in the Manage Dashboard for your support teams as well as via the Management API so that you can enable your business customers' team members to search for users in their Organization from within your application.

Details and examples can be found here.

We're delighted to announce General Availability of the latest Public Cloud environment in United Kingdom (UK)!

Auth0 strives to offer the best CIAM solution in all aspects. The addition of this region (to Public Cloud environments available globally) enables low-latency IAM experience and addreses data residency requirements for UK customers.

The UK region has been available in Beta mode, and thousands of customers have experienced it successfully since November 2022.

Auth0 customers are now able to choose the UK region during tenant creation process. The newly created Auth0 tenant will have [tenant].uk.auth0.com domain name.

The Dashboard Activity page has been reimagined and now provides dashboard admins with access to visualized metrics that give them a high-level understanding of their tenant application signup and login data.

Initially, Tenants will be able to track metrics over time, such as Active Users, Sign-ups, and Retention, in addition to Failed logins. Auth0 will consistently add additional functionality and features to improve the user experience.

This feature is now available to all customers.

You can learn more in our public docs.

Announcing General Availability of SMS and Email based passwordless authentication on New Universal Login. Previously, these passwordless flows were only available on Classic Universal Login. Now, you can use passwordless with many of the existing features of New Universal Login such as No Code Customization tools and the Custom Text Editor.

To learn more about the feature you can go through our documentation here.

A new configuration option is available for factor enrollment flows for end-users on New Universal Login. With this new setting, Administrators have the ability to configure their tenants to prompt end-users to select their preferred factor instead of relying on the factor being automatically selected as default by Auth0.

You can learn more about this new setting, Show Multi-factor Authentication Options, in our documentation here.

Announcing the general availability release of auth0-java v2, the latest release of our authentication and management SDK for Java applications. This release brings a variety of exciting new features and improvements, including:

• A new pluggable HTTP component with a configurable default implementation, making it easier to handle simple and complex use cases.
• HTTP request configuration enabled for all requests, eliminating the need to downcast and simplifying our internal request class hierarchy.
• HTTP response information is returned for all API calls, making it easier to retrieve important information, such as response headers, without having to inspect logs.
• Improvements to the Authentication API client, like no longer requiring a client secret, allowing callers of APIs that don't need a secret to use the client.

To learn more and start building with our latest Java SDK, check out the repo on GitHub. And for developers upgrading from previous versions you can check out our migration guide here.

Customers interested in private cloud deployments can now opt for even greater performance thresholds to support their high volume authentication requirements. We’ve rolled out support for two new Private Cloud tiers supporting up to 180,000 and 360,000 requests per minute (or 3,000 and 6,000 requests per second, respectively). These new tiers are currently available for Private Cloud deployments on AWS.

To learn more, visit the following Private Cloud documentation page.

We've updated the Private Instances page in the Auth0 Support Center to display environment name, version, deployment type, and cloud provider.

We've updated the subscription quota reports to also show Active Enterprise Connections usage. This is Generally Available for both Private and Public Cloud customers.

Additionally Auth0 Private Cloud customers can now view their feature usage (eg. Machine to Machine Auth, MFA), for their respective private instances.

For more information on subscription usage, please see the documentation here.

Announcing Early Access of SMS and Email based passwordless authentication on New Universal Login. Previously, these passwordless flows were only available on Classic Universal Login. Now, you can use passwordless with many of the existing features of New Universal Login such as Organizations and our No Code Customization tools.

To learn more about the feature you can go through our documentation here.

Auth0 has released Security Center, a new security feature to provide our customers with real-time monitoring of potential security events as they happen. It provides a more proactive approach to our customers on understanding and tweaking their attack protection program, and further strengthen the security posture with real-time monitoring capability of common attack types and metrics on the current attack protection features.

This feature is in Early Access and will initially be rolled out in stages to all Enterprise customers using Private Cloud on the Converged Platform beginning on February 7, 2023. To learn more about our release stages, read Product Release Stages. The feature can be accessed from Auth0 Dashboard.

Security Center in Early Access includes trends on common threat behaviours- including credential stuffing attacks, sign up attacks, and MFA bypass attacks. It also provides threat monitoring capability on our current attack protection program - including Bot Detection, Brute-force Protection, Suspicious IP Throttling and Breached Password Detection. The threat monitoring tool helps our customers understand the current attack trends on their tenant traffic, and then implement countermeasures by enabling and tweaking the Auth0 Attack Protection feature sets.

To learn more, read Security Center in the Auth0 Docs.

Announcing the general availability release of auth0-angular, auth0-react, and auth0-vue v2, the latest update to our family of single page application SDKs. With the v2 releases, we've introudced all of the improvements that were released as part of Auth0-SPA-JS v2 and more!

To learn more about the latest release of each SDK and get started building, checkout our Quickstarts and SDKs on GitHub.

• Quickstarts: Angular | React | Vue

• GitHub: Angular | React | Vue

We have expanded our Bot Detection to now protect passwordless flows!

With Bot Detection for your Passwordless Flows, you can further protect your users and tenants from abuse. When enabled, Bot Detection for Passwordless can block suspected bot traffic by requiring CAPTCHA. Deferring the bot and helping reduce the excess cost of sending emails and SMS to your users.

For more information on enabling bot protection on your passwordless flows, please see the documentation here.

The Dashboard Activity page has been reimagined and now provides tenants with access to data and charts that give them a high-level understanding of their tenant data.

Initially, Tenants will be able to track metrics over time such as Active Users, Sign-ups, and Retention in addition to Failed logins. Auth0 will consistently add additional functionality and features to improve the user experience.

This feature is now available to all public cloud tenants.

You can learn more in our public docs.

No-Code Text customization is now available

We are expanding our No-Code toolset with the release of Text Customization. With our new text customization editor, customers can quickly and easily change all the text fields of the login box with zero coding required. This will make it easy for our application builders to use our platform and enable non-technical teams to implement changes.  This also includes the ability to customize text per language for any language supported by New Universal Login. Changes will show in the editor with a visual prompt preview. In addition, a JSON editor is available alongside the visual editor.

For more information see the documentation here: Documentation for No Code Custom Text Editor

We have changed the behaviour of the Manage Dashboard to retain a user’s place in the Manage application when they switch tenants. This will save users the trouble of navigating through the Manage application when they want to make a common set of changes to more than one tenant.

Feel free to dim the lights; dark mode is now available as a beta feature in the Manage dashboard! If you wish to try it out, you can enable this feature under your user profile.

SAML IDP Initiated Login now supports Organizations. When using a SAML Enterprise Connection within Organizations, the Organizations ID will be appended so that the end user is directed to the current Organization.

When using IdP-Initiated SSO, make sure to include the connection parameter in the post-back URL: https://YOUR_DOMAIN/login/callback?connection={yourConnectionName} If you are using the Organizations feature you can also optionally include an organization parameter containing the organization id of the desired organization: https://YOUR_DOMAIN/login/callback?connection={yourConnectionName}&organization={yourCustomersOrganizationId}

For more information, please see the documentaton here.

Announcing the launch of Status Page support for our Private Cloud offering for customers on the Converged Platform. To check the status of Private Cloud Environments, navigate to Status.Auth0.com and authenticate via “Private Cloud Login” using the same account credentials used to access the CIC (Auth0) Support Center. To go back to the Auth0 Public Cloud Status page, select Auth0 Public Cloud Status from the top-right navigation. For more information see: Check Auth0 Status

Announcing the general availability release of nextjs-auth0 v2, our latest update for adding authentication to NextJS applications. In v2 of nextjs-auth0 we added new middleware support that runs on the Next.js Edge Runtime for consolidating route declarations, a new declarative routing API greatly that simplifies route handler creation, and improved testing support that makes testing authentication in your app a breeze.

To learn more and get started building with our latest NextJS SDK, checkout our Quickstart, and SDK on GitHub.

We are bringing caching in Actions to the public cloud. Available immediately, customers can use api.cache to store and retrieve data that persists across executions.

Requesting and storing tokens over time for external services or machine-to-machine exchanges can drive up overhead costs and further cause latency issues. So we created Actions caching, a means to minimize the number of machine-to-machine access tokens generated to authenticate with Auth0 APIs.

Check out our detailed guidance on Auth0 Docs, and visit Move to Actions today to start using Auth0's flagship extensibility product, Actions.

SMS as an MFA option for loging into Auth0 Dashboard is now only available for users on a paid subscription.

What happens with free tenants with SMS as an MFA option enabled before the change? Already enrolled users will continue to receive SMS-generated OTP. However, SMS as an MFA will no longer be presented on a free tenant if the dashboard user disables it. The tenant will need to be added to a paid subscription to continue using the feature after disabling it.

Beginning May 9th, 2023, the Get Role Users Management API endpoint will only return greater than 1,000 total results if the checkpoint pagination method is used. This pagination method is optimized to support large quantities of results. The offset pagination method will be capped at 1,000 results.

See the Get Role Users Management API Documentation for implementation details on the two pagination methods.

Auth0 is excited to announce the launch of a new public cloud environment in the United Kingdom (UK) as a Beta. This new environment joins previously available environments in the United States, Australia, Japan, and the European Union, as we continue to support our customer's needs to offer low-latency login experiences while complying with data locality regulations.

Auth0 customers can specify their preferred location by simply choosing the United Kingdom region during the tenant creation process. The new Auth0 tenant created will have the [tenant].uk.auth0.com domain name and will adhere to amended terms of service and SLA during the Beta period.

In order to support our customer’s growing SaaS businesses, we are excited to announce support for Organizations context in custom database scripts. This will make it easier to migrate users from your existing B2B applications to Auth0.

Customers can now enable the additional custom database parameter Context object in database scripts.
Once enabled, the custom database action script will be passed an extra parameter, context, that contains information about the Organization that an end-user is interacting with.

To learn more about custom database support for Organizations, read here.

Starting October 31, we are rolling out a new Okta Workforce Enterprise Connection.

The Okta Workforce Enterprise Connection makes it easy for business customers to offer your product to their employees through their Okta dashboard, with seamless integration to Okta Workforce Identity Cloud. This enterprise connection is now free for all Okta B2B and Enterprise customers, and easier to discover and configure in Auth0.

To learn more, visit Connect Your Auth0 Application with Okta Workforce Enterprise Connection

We’ve reduced session timeout due to inactivity – for administrator sessions on manage.auth0.com – to 12 hours. This is another routine step in our continuous improvements in the security of our services.

For many of our customer’s administrators, there will be no noticeable effect. For those administrators working in manage.auth0.com day to day, additional or more frequent challenges to log in — if you’ve been inactive for 12+ hours — will be the only effect.

This change does not affect any sessions configured for your users and your applications as integrated with Auth0 identity services. The only changes are for administrator sessions on manage.auth0.com.

We have expanded the list of log event types visible for Viewer-Users and Editor-Users management dashboard roles to now also include the following:

    fce, fcoa, fcpn, dcu, feccft, 
    feoobft, feotpft, fepft,  
    fepotpft, fercft,fi, fs, fui,
    sce, scpn, scu, sdu, seacft, 
    sede, sens,seoobft, seotpft,
    sepft, si, sv, svr

A complete list of Viewer-Users and Editor-Users log event type codes can be found here.

The Bot Detection Allowlist is now available!

In the bot detection dashboard we have now added an allowlist. This can be used to add a list of trusted IPs and/or CIDRs in order to by pass Bot Protection.

You can read more about bot detection and the addition of the allowlist here

The Support Access Role within the Dashboard has been updated to allow for any user with Support Access granted to view and comment on Support tickets in the "Subscription Tickets" section of Support Center. Previously, users with Support Access only had access to "My Tickets" in Support Center. With this change, the Support Access Role allows for users to now see and update "Subscription Tickets" as well. For more information on feature access by role, see: Dashboard Access by Role Documentation here.

Auth0 Teams initially allowed viewing only tenant administrators for the selected tenant from the Teams Dashboard. You can now view all members, including non-administrator roles, using Teams.

Follow the link to learn more.

Now announcing the ability to block breached credentials on sign-up with Breach Password Detection!

With the previous version of Breached Password Detection, we have the ability to block log-ins when a set of known breached credentials are used for a user's account. We have now added the ability to enable the same functionality with the signup process.

Within the Breach Password Detection dashboard, there is now a toggle to turn on Breached Password Detection for account creation. Once on, the user, upon trying to create an account with a set of known breached credentials, will receive a prompt informing them that a combination of credentials was detected in a public breach and to use a different password.

To learn more about Breached Password Detection, read here

Developers can now configure their custom Guardian SDK based applications to have push notifications sent directly to the device platform providers, iOS and Android. Within the Auth0 dashboard, developers can configure each device platform by providing the key or certificate for FCM and APNs. AWS SNS remains fully supported as this feature is intended to provide more flexibility to best fit your needs. Documentation available here for FCM and APNs.

We are excited to bring a new version (v3) of Post-login Trigger in Actions to our customers. This backwards-compatible version update effectively enhances the security safeguard and brings new features to Actions. You can read the summary below and find out more information in our release docs.

Breaking Changes

api.redirect.canRedirect() marked as deprecated.

api.redirect.sendUserTo() will no longer skip redirecting when in a non-interactive flow. This means that calls to api.redirect.sendUserTo() should first check if the redirect is needed before issuing the redirect.

New Features

event.authentication.methods() may now also contain custom methods completed by users within that session and recorded using api.authentication.recordMethod() from the onContinuePostLogin handler.

api.authentication.recordMethod() is added as a way to store a record for the completion of a custom method in the user’s session. These APIs allow you to strictly require custom factors for certain scenarios.

To learn more about v1 and v2 updates, follow Actions releases notes.

All of the alerts and notifications that are currently published in the Auth0 Support Center are now also available to read inside the Manage dashboard. With this change, the options under the bell icon on the right side of the Manage banner no longer redirect to the Auth0 Support Center, but rather allow you to check your notifications without leaving the dashboard.

Announcing the general availability release of auth0-flutter, our brand new SDK for adding authentication to Flutter applications. With auth0-flutter, developers now have native Auth0 support to implement web auth login and logout, automatic storage and renewal of user credentials, custom credentials manager, and key Authentication API methods.

To learn more and get started building with Flutter and Auth0, checkout our recent blog post, Quickstart, SDK on GitHub.

Auth0 has released native integrations for Mixpanel and Twilio Segment via our Log Streaming feature.

Auth0 is excited to announce a newly expanded offering for our new private cloud platform customers - Actions Integrations are now available from the Auth0 Marketplace. What that means is all Auth0 customers that utilize our new private cloud platform have access to all the offerings on the Auth0 Marketplace - SSO, Social Connections, Log Streaming Integrations and now, Actions Integrations.

Actions Integrations will start to appear in the Development/Staging space now and will be ready in the Production environment in the coming weeks dependent on various release cadences.

Make sure to visit the Auth0 Marketplace to see if there is an integration that optimizes your customer’s identity experience. To find out more about becoming a Private Cloud customer, please send an inquiry and someone from Auth0 will contact you about whether it’s a good fit for your business.

Read more about the changes and improvements here.

Auth0 Teams provides a single point of visibility and control over your enterprise tenants. Teams First Availability is opened to customers with Enterprise tenants in Auth0's Public Cloud. The following features are available as part of Auth0 teams:

• Visibility into tenants and tenant administrators.
• Visibility and control of Team members.
• Ability to restrict tenant creation.

Please refer to Auth0 Teams Documentation for more information. Contact your Technical Account Manager or Auth0 Support to enable Auth0 Teams and begin the journey of centralized visibility and control with us. More exciting new features are coming to Auth0 Teams, and we can't wait to share them with you. Please continue to look for Auth0 Teams product announcements in the future.

Auth0 already supported adding custom claims to tokens via extensibility (Hooks / Rules / Actions), however, until today it restricted the usage of custom claims to public namespaced custom claims. This caused limitations for some onboarding scenarios and for implementing some standards that require private non-namespaced custom claims (such as FHIR for health care). Today, these barriers are gone! Customers can add non-namespaced custom claims to Access and ID Tokens in OIDC flows.

// an Auth0 action
exports.onExecutePostLogin = async (event, api) => {
  // this was restricted, this is now allowed !
  api.accessToken.setCustomClaim('favourite_color', 'blue');
  api.idToken.setCustomClaim('favourite_star_wars_droid', 'n2c2');
}

• Non-namespaced custom claims set on ID Tokens will be returned in the /userinfo endpoint.
• New restrictions apply:
  • Token size is capped to 100KB in all OIDC flows.
  • A list of claims (standard and auth0 internal) will be restricted and customers won’t be able overwrite them.
  • Creation of non-namespaced custom claims on tokens with Auth0 audiences are restricted to avoid collision with Auth0 internal services.

To learn more, read JSON Web Token Claims and Create Custom Claims in the Auth0 Docs.

If you were already using a previous, non-generally available mechanism to set non-namespaced custom claims, please read our Migration Guide.

Announcing the release of a new Dashboard role called Support Access. This role provides users access to Auth0 Support Center and a limited view of aggregated dashboard metrics (Activity Page).

Specifically, the Support Access role has access to:

• Metrics-Only Activity Stats in the Auth0 Dashboard
• Create and manage support tickets in Auth0 Support Center
• Usage Reports in Auth0 Support Center
• Compliance docs in Auth0 Support Center

Starting today, July 27th 2022, you can no longer invite users directly to Auth0 Support Center. Access to Support Center can be added via roles available within Auth0 Dashboard.

Existing Support Center users can still login to Support Center until Oct 3 2022.

Announcing the first availability release of auth0-flutter, our brand new SDK for adding authentication to Flutter applications. With auth0-flutter, developers now have native Auth0 support to implement web auth login and logout, automatic storage and renewal of user credentials, custom credentials manager, and key Authentication API methods.

To learn more and get started building with Flutter and Auth0, checkout the Quickstart and SDK on GitHub.

Announcing the general availability release of SimpleKeychain v1 and JWTDecode.swift v3, our utility libraries for storing user credentials in iCloud Keychain and decoding JWTs in iOS, macOS, tvOS, and watchOS apps. Both releases aim to modernize the libraries, dropping support for Objective-C, older versions of Swift, and outdated platform versions.

To get started building with SimpleKeychain and JWTDecode.swift, you can view the latest release notes and migration guides on GitHub.

• SimpleKeychain
• JWTDecode.swift

Looking to extend this functionality and easily integrate Auth0 into iOS and Mac apps? Check out our Auth0.swift SDK which supports SimpleKeychain, JWTDecode, and more.

Starting Jul 25, 2022 we are rolling out Node 16 to support Auth0 Rules and Hooks, and we recommend our developer customers update the tenant global setting to Node.js 16, or migrate Legacy Rules/Hooks to Actions.

Node.js 12 is no longer supported and has exited Long Term Support (LTS), but it will remain available for Rules and Hooks for the time being. We encourage you to migrate your Rules and Hooks to Node.js 16 at a minimum. Ultimately we strongly encourage our developer community to migrate your Rules & Hooks to Auth0 Actions for a greatly improved developer experience. We plan to support every current and long-term supported Node version in the future through Actions exclusively.

To take advantage of Node 16 for Rules and Hooks, simply select Node 16 for your tenants' Extensibility, Runtime setting (under Advanced Settings in the tenant dashboard). Your existing Rules and Hooks will then default to Node 16, so we recommend testing in a non-production tenant first. If you need to revert your Rules and Hooks to a previous version, you can revert back to Node 12 as well. We'll release more information about the Node 16 upgrade in our Docs shortly, and will update this Changelog when done.

For customers using our flagship extensibility product Auth0 Actions, there will be no changes. Our long-term strategy is to unify all extensibility under Actions. We also encourage you to explore Actions Integrations - a modern approach to extensibility without Node version disruption. All Actions Integrations will run on Node 16 at launch, and will be maintained by Auth0 and our Marketplace Partners.

We want to hear from you. Please share any feedback on your experience with our extensibility tools and Actions in our Developer Community.

Starting June 30, 2022 applications using Sign in With Apple (SIWA) for account creation must also let users initiate deletion of their account from within the app. Apple offers the following guidance at https://developer.apple.com/support/offering-account-deletion-in-your-app :

• Make the account deletion option easy to find in your app. Typically, it’s included in the app’s account settings.
• Offer to delete the entire account record, along with associated personal data. You may include additional options, but only offering to temporarily deactivate or disable an account is insufficient.
• If people need to visit a website to finish deleting their account, include a link directly to the page on your website where they can complete the process.
• Keep users informed. If the deletion request will take additional time to complete, let them know. If your app supports in-app purchases, help people understand how billing and cancellations will be handled.

For Auth0 customers this can be done by a call to the Management API v2 endpoint

__DELETE/users/%user_id% __

In addition, Apple now requires token revocation for the deleted user to remove the authorization from the list of applications on the user Apple account. In order to provide a complete solution, we have made an update to our SIWA integration. Auth0 will store and then revoke the Apple token on a user that has been created via SIWA on behalf of our customers. So no further action is necessary beyond user deletion to satisfy the new Apple requirement.

In order to support our customers' growing SaaS businesses, we have introduced some scalability improvements for Auth0 Organizations.

Customers can now Search for Organizations in the Manage Dashboard, and those on our Enterprise subscription plan can request increased entity limits for Organizations and Organization Members. Both can now be raised up to 2M (2,000,000) on a per-tenant basis.

To request an entity limit increase, please connect with your technical account manager or create a support ticket in your Enterprise subscription which includes the following:

• Description of your use-case and the reason for needing an increase
• Which limit needs the increase (number of Organizations, or number of Organization members per-organization)
• The name and region of the Auth0 tenants that need the increase applied

The New Universal Login No-Code Customization Editor allows you to quickly design and configure your login experience with no coding or technical skills required. This can help to get your own customized, branded login experience running in just minutes. You can easily apply your own logo, change colors, apply fonts, customize borders, and change backgrounds for a look and feel that’s all your own.

See your changes in real time using the large preview window. The preview allows you to zoom in on certain sections and move around your page for detailed inspection. You can interact with your new design with our “Try” feature. And you can save and publish your changes to your application in a single click.

To learn more about the New Universal Login No-Code Customization Editor see the No-Code Editor Documentation

Auth0 Bot Detection in public cloud is now upgraded with a new machine learning engine to help reduce bot attacks by 79%, with minimal impact on user experience.

Part of the Auth0 Attack Protection add-on, Bot Detection now pairs machine learning with one of the world’s largest consumer identity platforms to screen more bots in nearly 90% of attacks compared to the previous iteration. The impact on user experience remains unchanged, as even during attacks, fewer than 1% of challenges are shown to humans. Better security shouldn’t mean more friction.

To learn more about bot detection, see the Auth0 Bot Detection documentation.

On Apr 3, 2022 Auth0 limited the ability to search nested fields in the details key of the /api/v2/logs endpoint. Only the most commonly used fields within the details key are searchable through the endpoint and throughout the Auth0 dashboard. All the data in the details key will still be returned to customers by the Management API and Log Streaming.

The device credentials management API (Auth0 Management API v2) was returning an undocumented field last_used. This field has now been removed from the API response.

Beginning May 4th, 2022, the capability to install certain log extensions will no longer be supported. In order to achieve consistency across all Auth0 offerings and to focus on enhancing the Auth0 Log Streaming feature, we are discontinuing the support of the following Log Extensions (Installed) as of November 2, 2022. The relevant Log Extensions are:

• Auth0 Authentication API Webhooks
• Auth0 Management API Webhooks
• Logs to Cloudwatch
• Logs to Logentries
• Logs to Loggly
• Logs to Logstash
• Logs to Papertrail
• Logs to Splunk
• Logs to Sumo Logic
• Logs to Logentries

To learn more about migration to Auth0 Log Streams, read this migration guide.

We recently released a few updates to the Organizations feature:

1. Organization names can now be modified after creation. They still must be unique in the Auth0 tenant.
2. Organization parameters now show up when debugging email templates.
3. Enabled connections can now be included when creating an Organization via the POST Organization endpoint.
4. Fixed an issue where duplicates could be returned from the GET Organization Members endpoint.

The Bulk User Export will now escape string data types in the CSV export file. This is in conformance with OWASP standards for CSV injection mitigation. To ensure the content is read as text:

• Double quote characters are prepended with a double quote character.
• Each string is prepended with a single quote character.
• Each string is wrapped in double quotes.

This does not apply to dates in ISO 8601 format.

Check out our technical documentation to learn more about bulk user exports.

Announcing an improvement to Auth0’s security and performance with refresh token limits. We are limiting the amount of refresh tokens to 200 active tokens per user per application. Our service will periodically scan for client applications that keep an excess of active user refresh tokens and remove the excess on an older-first basis.

Limiting the amount of refresh tokens helps prevent accidental creation and accumulation of unnecessary or forgotten tokens while also preventing performance side-effects and signaling anomalous authentication flows via Refresh token excess warning in tenant logs.

You can read more on our Refresh Token page and follow-up with our Token Best Practices.

Announcing the general availability release of laravel-auth0 v7, our SDK for integrating Auth0 in Laravel applications. The v7 release of laravel-auth0 is a huge overhaul from v6 adding a wealth of developer experience improvements. Updates include support for Laravel 9, new plug and play controllers making it even easier to add authentication to Laravel apps, full integration with the recently updated Auth0-PHP v8 SDK, and more.

To get started building with Laravel and Auth0, check out the latest release on GitHub or the migration guide if you are upgrading from previous versions.

The Viewer - Users and Editor - Users roles has now read access to the Organizations list and Organization Members in the Dashboard. Editor - Users can see Organization Invitations in addition.

With this improvement, the Viewer - Users and Editor - Users Dashboard roles have a complete user visualization experience when the Organizations feature is being used.

Read more about Dashboard roles in our docs.

Announcing the general availability release of auth0-vue v1, our brand new SDK for adding authentication to Vue applications. With auth0-vue, developers can integrate Auth0 into Vue 3 apps faster and easier than ever before. The new SDK is built on top of our SDK for Single Page Applications providing all the same functionality wrapped in a native experience for Vue developers.

To get started building with Vue and Auth0, check out the Quickstart and SDK on GitHub.

Announcing the general availability release of Auth0.swift v2. Our Swift SDK lets you communicate efficiently with many Auth0 API endpoints and seamlessly integrates the Auth0 login.

With this new major release, we’ve added support for async/await and Combine, more customization points like custom headers and custom credentials storage as well as removing the complexity of dealing with concurrent refresh grants with our thread-safe token renewals. We’ve also greatly improved the docs, the secure by default configuration, and error handling.

To get started experimenting with the latest release, check out our updated migration guide.

The Auth0 Terraform provider has been updated in the HashiCorp Terraform Registry and is now Verified by HashiCorp, and supported by Auth0 🎉

You can find the Auth0 provider and read the Docs in the Terraform Registry directly.

You can find the source code for the Auth0 Terraform provider in GitHub.

Auth0 customers can now use the Auth0 Management API and SDKs to configure these attack protection features:

• Breached password detection
• Brute force protection
• Suspicious IP throttling

To learn about Management APIs, see the Auth0 Management API explorer.

To learn more about SDKs, see the Auth0 SDK Libraries documentation.

We have updated Status Page to allow users to also subscribe to a RSS feed for status notifications related to their tenant.

Auth0 has released Credential Guard, a new security feature that protects your users and your enterprise from password theft. Credential Guard augments Auth0’s automated breached password detection feature, mitigating worldwide data breaches sooner, often before they’re made public. The new Enterprise add-on reduces the risk of data breaches to your application by up to 80%.

Breached password detection relies on public announcements of large-scale data breaches. If your user’s credentials (based on their email address) have been exposed in a public data breach, Auth0 can automatically alert your users, challenge them with an additional authentication factor, or block access until they reset their password.

With the Credential Guard add-on, a dedicated team of security professionals infiltrates criminal communities and gains access to exposed data as soon as breaches occur, often many months before any public announcement. With this advantage, you can better protect your users and secure your applications by resetting stolen passwords sooner.

Credential Guard protects your enterprise from data breaches across more than 35 languages and 200 countries and territories. It helps you eliminate the costs associated with account takeovers, while also protecting your users' accounts.

Credential Guard:

• Exposes more than ten times the data breaches
• Reveals breached credentials more quickly
• Increases global coverage by adding data feeds for passwords in non-Roman characters

Enterprise plan customers can add Credential Guard to their Auth0 agreement and then enable it from the Auth0 Dashboard

If you have the Attack Protection add-on, you already have access to this feature. You can enable Credential Guard from the Auth0 Dashboard: locate Breached Password Detection method, select As soon as possible, with Credential Guard, and select Save.

To learn more, read Breached Password Detection in the Auth0 Docs.

We have again updated the Auth0 Docs experience 🤓

• we improved the article navigation by categorizing articles into job-focused topics, and
• we've added a Table of Contents to complex or longer articles on the right side of the article view

Announcing the general availability release of go-jwt-middleware V2, our SDK for checking and validating JWTs in Go applications. The V2 release of our go-jwt-middleware is a giant leap forward from our V1 implementation. Updates include simplifying the JWT library interface, support for JWKS, and much more. Please note, this update contains breaking changes.

To get started experimenting with the latest release, check out our updated migration guide.

Auth0 has implemented a cache of additional entities stored in our databases which see low change rates but high number of requests.

This cache will apply to endpoints of the Authentication API and will not impact the Management API.

The following will be cached and updated every thirty (30) seconds:

• General and advanced tenant configuration
• UL Configuration including branding

Though the behavior changes will be minimal, a follow-on effort will be made to reduce the impacts caching may have on the tenant administration experience.

We’re excited to announce general availability of Auth0 Identity Platform as a private cloud deployment option on Microsoft Azure. This unlocks a secure cloud deployment option for organizations seeking a strategic fit with their technology stack, support for regional data residency capabilities and higher control over customer's data. You can learn more about deploying Auth0 Identity Platform on Azure in our documentation.

Announcing the general availability release of express-oauth2-jwt-bearer, our new SDK for Express API’s. express-oauth2-jwt-bearer greatly simplifies the process of protecting your Express APIs with Bearer Token JWTs using a combination of the well established OAuth2 Bearer Token Usage spec and the recently published specification of JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens.

To learn more about the Auth0 express-oauth2-jwt-bearer SDK and try it yourself, check out our Quickstart, and repo on GitHub.

We have updated the Auth0 Docs experience to reflect the new Auth0 brand.

Auth0 has implemented a cache of entities stored in our databases which see low change rates but high number of requests.

This cache will apply to specific endpoints of the Authentication API and will not impact the Management API.

The following will be cached and updated every thirty (30) seconds:

• Connections
• Applications

Though the behavior changes will be minimal, a follow-on effort will be made to reduce the impacts caching may have on the tenant administration experience.

Announcing the general availability release of Auth0.AspNetCore.Authentication, our new SDK for ASP.NET Core applications. Integrating Microsoft's OpenID Connect middleware, we’ve supercharged our .NET developer experience by making it even easier to integrate Auth0 in ASP.NET Core applications like MVC, Razor Pages, and Blazor.

To learn more about the Auth0 ASP.NET Core SDK and try it yourself, check out our blogpost, Quickstart, and repo on GitHub.

We’re excited to announce first availability of Auth0 Identity Platform as a private cloud deployment option on Microsoft Azure. This unlocks a secure cloud deployment option for organizations seeking a strategic fit with their technology stack, support for regional data residency capabilities and higher control over customer's data.

During First Availability, private cloud deployments on Azure will be available for select customers. You can learn more about deploying Auth0 Identity Platform on Azure in our documentation.

Log Stream Flexibility, after a successful beta, is now in general availability (GA). This allows both the ability to start a new log stream from a certain point in time and to filter logs based on specific log type categories.

Learn more in our public docs

Auth0 has released Threshold Manager for Suspicious IP throttling.

Auth0 users can now use Threshold Manager to set their preferred thresholds for Suspicious IP throttling. With a self-serve capability, users can now modify the default threshold for Suspicious IP throttling, giving them more flexibility and reducing any delays in implementing security policies.

You can enable it in the Auth0 Dashboard.

You can learn more in our public docs

We added a new audit event (mgmt_api_read). This event will indicate when a client secret is present in the response of a successful management API read request. You can learn more in our public docs

Heroku private space users in Tokyo now get a tenant in Auth0's Japan region when adding the Auth0 add-on.

Check out the add-on overview to learn more about supported Heroku regions by Auth0.

The Bulk Users Export API upload now uses AWS S3 pre-signed URLs for the one-time downloads. The URL changed from user-exports.[region].auth0.com to [environment]-auth0-export-users-[aws-region].s3.[aws-region].amazonaws.com

Check out our technical documentation to learn more about bulk user exports.

Applications that authenticate users via SAML can now use Auth0 Organizations to support their business customers and partners.

When Auth0 is acting as a SAML IdP, applications can now send users to Auth0 along with an organization ID, and they will be prompted to log-in in the context of that Organization. If no organization is provided, and the application is configured to require one, the user will be prompted to enter the name of the organization they’d like to authenticate with. After logging in, the SAML response will contain the associated Organization ID.

Note that Organizations already supports federating users from your business customers’ organizations into your applications via SAML, by creating SAML Enterprise Connections and enabling them for your organizations. This update allows applications to trigger Organization login flows using SAML Authentication requests.

Check out our technical documentation to learn more about Organizations features and how they can be used to support SaaS and business-to-business applications.

You can learn more about Auth0 support for SAML in this blog post.

We added Bosnian, Bulgarian, Croatian, Serbian, Slovenian, Icelandic, Ukrainian, Estonian, Lithuanian and Latvian language options to the New Universal Login flow.

The Auth0 CLI lets you build, test, troubleshoot and manage your Auth0 tenants directly from the command line.

If you are using the New Universal Login experience, you can take advantage of the CLI to easily customize the page templates.

When you run:

auth0 branding templates update

The CLI will open two windows:

• A browser window with a Storybook that shows the login page with the page template applied:

• Your default editor, with the page template code:

You can now change the page template code, and you will be able to preview the changes in the browser window.

Once you close the window, you’ll be asked if you want to save the template. If you answer Yes, the template will be uploaded to your tenant.

In order to achieve consistency across all Auth0 deployments and to focus on enhancing the Auth0 Custom Domain feature, we are discontinuing the Private Cloud Custom Domain capability as of December 20, 2021. This consistency enables us to enhance the feature and fix reliability issues faster, improving operational efficiency and enabling customers to get value out of custom domains quicker. To learn more about migration to Auth0 Custom Domains, read this migration guide.

Auth0 has released Threshold Manager for Brute-force Protection.

Auth0 users can now use Threshold Manager to set their preferred threshold for Brute-force protection. With a self-serve capability, users can now modify the default threshold for Brute-force protection, giving them more flexibility and reducing any delays in implementing security policies.

You can enable it in the Auth0 Dashboard.

You can learn more in our public docs.

Auth0 has released Adaptive MFA Risk Assessors.

Auth0 users can now enable Adaptive MFA Risk Assessors to assess and monitor risk signals for the login transactions without forcing an adaptive MFA flow. Though Adaptive MFA Risk Assessment is required for enabling the Adaptive MFA policy, it can also be used to implement custom MFA policies using Rules without Adaptive MFA in the flow.

You can enable it in the Auth0 Dashboard.

You can learn more in our public docs.

As part of our continuing work to improve compliance of the New Universal Login flow with accessibility standards, we have made a few improvements in the UI.

Error Messages

Error messages were not properly communicated to assistive technology users, resulting in users being unable to identify them. To address this issue, we have enhanced our forms to link the error messages with the field that has the error:

In the previous version, we displayed all errors in the form together, below the fields. In order to connect each message to a specific field, we are linking the label to the affected field and updating the visual style:

Focus Improvements

The focus indicators for Links were also difficult to detect. We updated the style to make it more visible:

Additionally, it was not possible to set the focus on the ‘Show Password' icon by using the keyboard. We have changed that functionality and it is now possible, with an updated focus style:

Link Styles

Since everyone does not have the same abilities to distinguish between colors, color should not be used as the sole visual means of conveying information. In order to make links more accessible, we have increased the font weight in addition to changing the link text color:

The Viewer - Config role has now read acccess to the Organizations list, overview and enabled connections in the Dashboard.

Read more about Dashboard roles in our docs.

Auth0 users can now enable reCAPTCHA Enterprise to block bot and scripted attacks. This has expanded Auth0 CAPTCHA offerings to include Google’s enterprise version for reCAPTCHA which does not have a monthly limit on the number of assessments.

You can enable it in the Auth0 Dashboard

You can learn more in our public docs

Auth0 supports continuous integration and deployment (CI/CD) of Auth0 Tenants and integration into existing CI/CD pipelines by using the auth0-deploy-cli tool, which supports the importing and exporting of Auth0 Tenant configuration data.

The auth0-deploy-cli 7.0.0 update has now been released.

Added

• MFA Support Recovery Codes
• Support for Organizations
• Prompt link to Auth0 Docs upon insufficient scope

Removed

• Node.js 8
• Various unneeded dependencies

For migration documentation, see https://github.com/auth0/auth0-deploy-cli/wiki/Migrating#v5-to-v7

For a full list of Auth0 Management API resources now supported by the auth0-deploy-cli tool, and for links to documentation and usage examples, see the project README.md.

WebAuthn with Security Keys and WebAuthn with Device Biometrics are supported as new multi-factor authentication methods to log in to our management Dashboard, in addition to the existing Guardian, OTP, and SMS factors.

WebAuthn combines maximum security with a low-friction user experience. We encourage you to add another layer of protection to your account by enabling them in your Account Settings page.

You can read more in our public docs.

To allow users continued access to their account in the event that they lose access to their primary multi-factor authentication (MFA) method, Auth0 provides a Recovery Code flow that is presented after the user enrolls in MFA.

Depending on the application and how tech savvy end-users are, this adds significant friction. It also does not resolve the issue since most users often do not have access to those recovery codes, when they need them most.

To simplify MFA adoption for applications, Auth0 now treats Recovery Codes as any other authentication method, which can be enabled or disabled. When disabled, end users will not be asked to enroll a Recovery Code, and will not be able to authenticate with one.

Recovery Codes will be enabled for existing tenants that are using MFA but will be disabled, by default, in new tenants. Tenant admins can change this option in the Multi-factor Authentication configuration screen.

You can learn more about this in our documentation.

The Dashboard Activity page has been reimagined and now provides tenants with access to data and charts that give them a high-level understanding of their tenant data.

Initially, Tenants will be able to track metrics over time such as Active Users, Sign-ups, and Retention in addition to Failed logins. Auth0 will consistently add additional functionality and features to improve the user experience.

This feature will be available to all US tenants gradually as part of a First Availability rollout. We plan on rolling the update out to the remaining regions over the coming months. Customers will receive a notification when it becomes available in their particular region.

You can learn more in our public docs.

Auth0 now supports using WebAuthn with Device Biometrics as the first authentication factor. You can enable it from a new Authentication Profile (https://manage.auth0.com/#/authentication-profiles) page in the Auth0 dashboard.

Once enabled, users will be given the option to enroll with WebAuthn after entering their password, if they are logging in from a WebAuthn-capable device. The image below shows the flow for iOS 14+:

The next time they login from that device, they will be asked to use their device biometrics by default:

Users will go through this flow each time they login for the first time in a new device. We call this feature Progressive Enrollment, and it will help many consumers and corporate employees which already possess devices with built-in biometrics for identification, to get a more convenient login experience while improving security at the same time.

Learn more about how to configure it here.

Important Notice: although it is not a supported Auth0 product, we are publishing guidance about Sharelock End of Life as a public service announcement.

Sharelock.io service is being ended and the site will be shut down August 1st, 2021. After this date Sharelock will no longer be available, and you will not be able to retrieve any shared secrets that are stored only in Sharelock.

• If you are creating a new shared secret via Sharelock you should plan to move to other alternatives such as 1Password and SendSafely immediately. Creation of Sharelock secrets will no longer be available after June 9th, 2021.
• If you’re retrieving a secret shared with you via Sharelock, you should store this secret in another secure location so you do not lose access to it after August 1st, 2021.

We have updated the Auth0 Dashboard experience to reflect the new Auth0 brand.

Actions, after a successful beta, is now in general availability (GA). Actions includes functionality from our legacy product Rules and Hooks under a unified developer focused experience. We brought many of the developer focused features in Actions Beta forward to the GA product including:

• An easy to use Flow Editor to better visualize your custom logic in our pipeline
• Draft Mode
• Version Control
• Testing before deploying to prod
• Improved secret management
• Expanded list of supported NPM modules to over 1MM
• Unified programming model across all triggers
• Improved logging

We encourage you to get started with Actions today and provide feedback and questions to us through our community channel. We will continuously build new functionality and extending new elements of the Auth0 pipeline through Actions. We have also updated our documentation pages to help building and migrating to Actions easy.

We've added the option to assign Tenant Environment tags from the context of the Manage Dashboard. Tenant Environment tags allows your team to easily identify development, staging and production tenants. Read the updated documentation here.

The Auth0 Community is in the process of deprecating the following Github repos:

• ember-simple-auth-auth0
• auth0-socketio-jwt
• auth0-joomla

These repositories will no longer be available on Github after the end-of-life date, September 30, 2021. Please make plans to find a suitable replacement or remove these libraries from any active projects before the end-of-life date. Please reply to the Community announcement if you have any questions or concerns.

Updated Actions Programming Model

We’ve updated the Actions programming model with improvements including consistency between different triggers. This update affects how you write your Actions code going forward. Your existing Actions will continue to execute without any changes. New Actions you create will use the updated version of the programming model.

New Features to Actions

We’ve also made improvements to the public API, allowing you to better discover the data model for triggers and we have improved the logging experience for Action executions. You can reference our documentation for more details about the changes we’ve made, and find sample code for common use cases.

When you authenticate with Google Workspace, Google always returns an access_token.

If you add access_type=offline&approval_prompt=force to the authentication request, Auth0 forwards those parameters to Google, and Google also returns an refresh_token.

We always stored the access_token in the user’s identity, which customers could use to all Google’s APIs. However, we did not store the refresh_token. We changed the behavior and also store the refresh_token when returned by Google.

Auth0 has released a public beta of Log Stream Flexibility Enhancements. This allows both the ability to start a new log stream from a certain point in time and to filter logs based on specific log type categories.

You can enable the new feature in the Auth0 Dashboard and learn more in our public docs

We added Thai, Turkish, Indonesian, Greek and Vietnamese language options to the New Universal Login flow.

Organizations is a broad update to the Auth0 platform that improves support for Auth0 customers that build and maintain business-to-business and software-as-a-service applications.

Auth0 customers on our Enterprise and Startup subscription plans can now:

• Represent the teams, business customers, and partners that use their applications as organizations in Auth0
• Set up branded, federated login flows for each organization
• Manage organization members in a variety of ways, including just-in-time membership and email invitations
• Define roles to represent what end-users can do in their applications and assign those roles to organization members, so they can have different roles in different orgs
• Build administration capabilities into their products so that administrators in those organizations can manage their own membership and access levels

To learn more, have a look at the announcement blog post and technical documentation.

Brute-force Protection now supports Account Lockout mode which will block an account after too many consecutive failed login attempts.

You can enable it in the Auth0 Dashboard

You can learn more in our public docs

Auth0 now enables you to enhance your tenant’s security to provide your users with secure access to your applications from public and shared devices.

When configured to create non-persistent sessions, the feature automatically terminates the session cookies when the user closes the browser. The session lifetime configuration at the tenant level controls the life of the server sessions.

For more information take a look at our public document

WebAuthn with Device Biometrics for Multi-factor Authentication is now generally available.

This enables users to use their WebAuthn-capable devices to complete MFA with their device's biometrics authenticators.

You can enable it in the Auth0 Dashboard

You can learn more in our public docs.

We've released a new user experience for managing tenant members, and a set of new dashboard roles (available to enterprise plans) that cover a wider range of collaboration use cases.

As part of this initiative, Auth0 is removing the Application Admin dashboard role, that allowed Admins to invite collaborators to the Auth0 dashboard with access to selected applications, as well as users and connections.

The Application Admin role is no longer available for inviting new tenant members. Existing Application Admins will be able to keep their role until September 30, 2021. Refer to the migration guide for more details.

Auth0 has released Always CAPTCHA option for Bot Detection

This enables users to have more control over when CAPTCHA is presented on the login and sign-up flows. CAPTCHA can be used as an incident response method

It is also possible to enable the Bot Detection risk assessors to gather information about bot traffic without challenging users with CAPTCHA.

You can enable it in the Auth0 Dashboard

You can learn more in our public docs

Today we're releasing the new version of our Management Dashboard navigation and layout after 3 months available as an opt-in experience. This experience improves our side and top navigation and takes advantage of our customer's screen real estate by adding a flexible layout and a collapsible sidebar.

The experience will be enabled as the default experience for all new tenants and existing tenants that didn't explicitly opted out in the past. Tenant admins will be able to switch back to the legacy experience until May 2021 via the Feature Previews section in Tenant Settings.

Read more about the changes and improvements here.

Beginning 10 May 2021, the public cloud Auth0 network edge will no longer accept TLS 1.0 or TLS 1.1 traffic. These legacy protocols are insecure, with well-known weaknesses and vulnerabilities within the industry. For maximum security, all Auth0 clients must upgrade to TLS 1.2 or later. The exact details and steps required will vary, depending on your application. For further details, see Upgrade to TLS 1.2, what action to take? posted in Auth0 Community.

We understand how critical Auth0’s services are for the success of your business. To support that and ensure end-users always have the ability to access your applications, we are excited to announce that we have updated our availability SLA to 99.99% across all Auth0 environments.

The 99.99% availability guarantee applies to all enterprise production Auth0 tenants which means you can expect no more than 4 minutes of downtime for them per month. This is a significant improvement over our previous Public Cloud availability SLA of 99.90% which allowed for nearly 44 minutes of downtime per month. More details on the updated SLA can be reviewed in Auth0’s Service Level Description published at https://auth0.com/legal.

We continue to invest in improving the resilience of its platform and the reliability of its application services. Visit https://status.auth0.com/ at any time to check the status of our platform.

Starting this week, the following Extensions will no longer be available in the extension gallery:

• Auth0 Deploy CLI Extension
• Gitlab Deployments
• Bitbucket Deployments
• Github Deployments
• Azure/Visual Studio Team Services Deployments

We are replacing our deploy extensions with improved guides for a better developer experience. Deploy extensions were built at a time before automated code deployment services from web-based DevOps tools. With the advent of Gitlab Pipelines, Github Actions, Bitbucket Pipelines, and Azure Pipelines, the extensions we provide through the Auth0 Extensions Gallery are now obsolete in a world of automated CI/CD pipelines provided by SaaS partners.

For developers who have already installed and configured these extensions, the services and solutions provided by these extensions will continue to work. For developers looking to employ the functionality previously provided through these extensions, we have created a series of guides available in the Auth0 Marketplace that provide a more custom and improved experience than the extensions provided.

GitLab Pipelines

Github Actions

Bitbucket Pipelines

Microsoft Azure Pipelines

With the Deploy CLI Extension, we received feedback from many customers that as our product evolved, the extension provided unnecessary additional friction to use the Deploy CLI. The Deploy Extension was intended to be a quick solution to creating an application in your dashboard to quickly connect your external Deploy CLI with your Auth0 instance, however, as the Deploy CLI evolved, so did the need for more customization in how the service connected. The functionality formerly found through the extension will now be served through the Deploy CLI installation guide. As always, be sure to regularly check the Auth0 Marketplace for all the ways you can use integrations to improve your Auth0 experience.

Auth0 has released WebAuthn with Security Keys for Multi-factor Authentication.

This enables users to use with FIDO Security Keys to increase the security of their accounts.

It is available for customers that have the Enterprise MFA add-on enabled.

You can learn more in our public docs.

We have updated our login page to use the New Universal Login experience and to reflect the new Auth0 Brand.

Brute-force Protection now supports an AllowList to permit IP addressed of both v4 and v6 to bypass Brute-force blocking behavior.

You can learn more in our public docs.

Auth0's user profile has a property called user.multifactor, which was supposed to let you know if the user was enrolled in MFA or not.

In the past, we only set the property the first time the user completed the MFA challenge, but not when the user enrolled or when MFA was reset.

This behavior was fixed, and now the property is always up to date. You can reliably use it to know of the user is enrolled in MFA.

A grant provides an application access to a resource on another entity without exposing user credentials. Tokens are issued in the context of a grant, and when a grant is revoked, so do all tokens issued in the context of that grant. When, on the other hand, a token is revoked, this does not necessarily mean that the grant is revoked.

This feature allows the customer to decouple the revocation of refresh token from the revocation of the grant. When this feature is turned on, a refresh token revocation will result in the revocation of the grant that the token is associated with. If, on the other hand, the feature is turned off, then a refresh token revocation will keep the grant intact.

For existing tenants, this feature is turned on by default to preserve the existing behavior. For new tenants, this feature is turned off by default to make sure that a revocation of a refresh token will not revoke the grant. If a grant revocation is needed, a separate request must be sent using an existing grant revocation endpoint.

For more information, refer to the following documentation: Refresh token and grants

New built-in roles for dashboard members with limited privileges are generally available under enterprise plans, for improved access control.

The new roles include:

• Admin: Read and write access to all resources in the dashboard.
• Editor - Specific Apps: Read and write access to specific applications only.
• Editor - Connections: Read, write, and create access to all types of connections.
• Editor - Users: User Management operations (create, delete, block, unblock, reset MFA, reset password, update metadata, assign roles, etc.) and access to logs.
• Viewer - Users: Read-only access to users and logs
• Viewer - Config: Read-only access to all configuration settings (applications, APIs, rules, security settings, etc.), except for sensitive information such as secrets, billings, users, and logs.

Tenant members with limited privileges will see only the dashboard’s sections and actions that their respective roles support. They won't be able to see the tenant members section nor invite other members.

You can read more about the specific permissions for each role in the Auth0 documentation.

In order to improve security and prevent leaks, we have stopped displaying connections and MFA secrets in the Auth0 Dashboard after the configuration is saved.

This change includes secrets from:

• Enterprise connections
• Social connections
• Passwordless connections
• Multi-factor authentication providers

You can now configure the New Universal Login Experience to use an identifier-first flow, which supports Home Realm Discovery for enterprise connections.

You can enable the new behavior in the Universal Login section of the Auth0 Dashboard.

You can learn more in our public documentation.

Update to POST/api/v2/tickets/password-change

With a optional client_id parameter, you can now generate password reset tickets to enable a "Back to <app name>" button with application specific redirect behaviors using New Universal Login.

POST/api/v2/tickets/password-change

client_id is an optional parameter that is the ID of the application. If provided for tenants using New Universal Login experience, the user will be prompted to redirect to the default login route of the corresponding application once the ticket is used. See Configuring Default Login Routes for more details.

We changed the layout of the Login page for the New Universal Login Experience.

The Sign Up link is now rendered below the Continue button, instead of at the bottom of the page. The image below shows the previous an the current default login page:

To keep the rest of the pages consistent, we removed the footer section in all of them, and the links that were displayed in that section are now below the rest of the content.

You can now use CSS to hide or change the New Universal Login page logo from Page Templates.

This enables scenarios like changing the logo depending on the application.

You can learn more in our docs.

Auth0 is excited to announce general availability of a new public cloud environment in Japan. The Auth0 Japan environment joins the US, EU and Australia environments previously available, enabling our customers to offer lower login latencies to their users within Japan and in neighboring countries.

Auth0 customers can specify their preferred location by simply choosing the Japan region during the tenant creation process. The new Auth0 tenant created will have the <tenant>.jp.auth0.com domain name, and will enable customers to comply with legislation governing data regulation, privacy and consumer law.

Auth0 is proud to introduce Refresh Token Expiration, which includes two methods of expiring Refresh Tokens to balance security with usability: Absolute Expiration, and Inactivity Expiration.

Absolute Expiration: When enabled, you can configure the absolute lifetime for refresh tokens, after which, the end-user must re-authenticate before being issued a new refresh token. When disabled, the absolute lifetime will be indefinite.

Inactivity Expiration: When enabled, you can configure the inactivity lifetime for refresh tokens, which expires the refresh token if the user is not active in the application during the inactivity lifetime period.

Using a combination of Inactivity Expiration with Absolute Expiration, you can easily configure shorter lifetimes for more secure applications, or create an experience for end-users whereby they have seemingly indefinite sessions as long as they are active regularly in your application.

In addition, updated default settings for Refresh Tokens are applied to all new applications. To learn more about this capability, see our product documentation: https://auth0.com/docs/tokens/refresh-tokens/configure-refresh-token-expiration.

Auth0 has released Adaptive MFA, a new feature within the Multi-factor Authentication offering. Adaptive MFA allows customers to trigger Multi-factor Authentication based on a series of contextual risk scores, such as whether the user is signing in from an unknown device, or whether the user login is evidencing an impossible travel situation, or whether the user login happens from a risky IP. The feature also allows customers to access risk assessments in rules, which can be used to write custom business logic to trigger MFA.

We’re introducing improvements to the user experience of configuring Security related features in our Management Dashboard. Read more here

What changed?

• Anomaly Detection section has been renamed to Attack Protection

• Multi-factor Authentication and Attack Protection (Previously Anomaly Detection) have been moved under the new Security section

• Attack Protection (Previously Anomaly Detection) and Multi-Factor Authentication features now present a refreshed and simpler configuration experience

• Guides for crafting Security dashboards using our Log Streaming functionality are available under the Monitoring section

Correlation-ID support for Management API is now Generally Available. This feature allows for adding a unique identifier in management API calls related to changes to the Auth0 account. The same identifier is then available in event logs, allowing for an audit trail for such changes.

You can see an example of how to use this feature in our Management API docs.

Starting November 19th, 2020 we now expose IPv6 addresses in our public endpoints e.g. acme.us.auth0.com. If a client request arrives at this endpoint from a machine which supports IPv6, then context.request.ip will show an IPv6 address. If you're currently perdforming ip address manipulation or checking manually, we encourage you to use ipaddr.js@1.9.0 which is already available by default in Rules, Hooks, and the Actions Beta.

Auth0 has released a native integration for streaming event to Sumo Logic via our Log Streaming feature.

You can also use our Sumo Logic App to get started with visualizing Auth0 event logs without any development effort.

Auth0 has released public beta of WebAuthn with Device Biometrics for Multi-factor Authentication.

This enables users to use their WebAuthn-capable devices to complete MFA by using their device's biometrics authenticators.

You can enable it in the Auth0 Dashboard

You can learn more in our public docs.

Auth0 has released public beta of WebAuthn with Security Keys for Multi-factor Authentication.

This enables users to use with FIDO Security Keys to increase the security of their accounts.

You can learn more in our public docs.

Auth0 provides an API to generate MFA Enrollment Tickets. The API generates a URL, which can be sent to end-users by email. Once users navigate to the URL, they are asked to enroll to MFA.

In the past, the MFA enrollment page was rendered using the Classic Universal Login Experience even if New Universal Login Experience was enabled. The behavior was changed, and the enrollment page will be displayed with the selected login experience.

On September 21st, 2020 we launched the Auth0 Marketplace, a new way to discover our growing catalog of solutions and integrations.

Auth0 Marketplace makes it easier and faster to extend and customize your Auth0 solution.

🤞 Trusted — All of the integrations you find in the Marketplace are pre-validated by Auth0, so you know you can trust them.

🔎 Searchable — Not only can you easily search for an integration you want, but the Marketplace also makes it easy to browse for integrations that you may not even know you need! Browse through our trusted catalog of partner and third-party integrations to see how you can take your Auth0 solution to the next level with just a couple clicks.

👥 Open — We want the Marketplace to work for you. Do you have an integration in mind that's missing from the Marketplace? We'd love to hear from you! You can request an integration in our Community forum, or even submit your own! All submissions will be tested and vetted by Auth0 so that you can feel safe using the Marketplace.

Keep following as we are adding new integrations to the Marketplace regularly.

You can find the Marketplace at https://marketplace.auth0.com/

For more information about the launch, check out our blog post: Introducing the Auth0 Marketplace.

Auth0 has released a native integration for streaming tenant event logs to Splunk via our Log Streaming feature.

You can also use our Splunkbase App to get started with visualizing Auth0 event logs without any development effort.

Dashboard Admins that opt-in to enable MFA for accessing the Auth0 Dashboard with an extra layer of security can now enroll additional factors as well as regenerate recovery codes to prevent being locked out of their account in case they lose their primary device.

The MFA settins for Dashboard users can be configured in the Profile Page. Learn more by reading our docs.

Adding one or two phone numbers for SMS in addition to Push or OTP factors, as well as storing the backup code, is strongly recommended to prevent losing access to your account.

Auth0’s Management APIv2 now provides a means to validate emails from users logging in using any connection.

What changed?

We added the option to specify a user identity when calling the following endpoints:

POST /api/v2/jobs/verification-email

https://auth0.com/docs/api/management/v2#!/Jobs/post_verification_email

This jobs endpoint can be used when you want to leverage Auth0’s email templates to initiate an email verification flow. A new (optional) identity field can be specified in the payload. When specified, this will allow an email job to be created for a specific user identity within a user. The identity must include a provider and user_id.

POST /api/v2/tickets/email-verification

https://auth0.com/docs/api/management/v2#!/Tickets/post_email_verification

If you prefer to leverage your own email capabilities, you can use this tickets endpoint to generate an email verification link to use in your custom flows. A new (optional) identity object field can be added to the payload. When specified, this will allow a ticket to be created for a specific user identity within a user. The identity must include a provider and user_id.

By doing this, you can select a secondary, federated, or passwordless-email identity to be verified. Once the user verifies their email using Auth0, the email_verified flag associated with the provided identity will be set to true. Subsequent logins using a federated identity will not overwrite this value. If the identity being verified happens to be the primary identity of the user, the email_verified at the root of the user profile will also be set to true.

How does this affect me?

You can take advantage of this capability right away. If you choose not to specify an identity when initiating an email verification flow, no behavior will change. We will continue to only allow for verification of the primary identity of users belonging to the Auth0 IDP.

To explore these new capabilities, get started at: Email Verified Usage or explore the APIs

You can now use a Liquid Templates to customize the HTML content for the New Universal Login pages.

This will allow you to:

• Customize the background with gradients or background images
• Change the page layout
• Add a header or footer
• Provide different content depending on the application or the universal login page

Learn more in our documentation.

Auth0 added limited support for wildcard use in Allowed Web Origins application URLs to make it easier for subscribers to test applications in CI/CD scenarios. Auth0 does not recommend using wildcards in application URLs for production applications; the OAuth BCP states that exact URL matching is the safest approach. Read more in Auth0 Support Center.

We added Czech, French (Canada), Hungarian, Polish, Romanian, and Slovak language options to the New Universal Login flow.

You can now provide end-users the option to get multi-factor authentication one-time codes using SMS or Voice calls.

You can read more in our public docs.

You can now add support for authenticating users with Facebook using the Facebook SDK in native applications.

This improves the user experience, and allows your applications to comply with Facebook's Platform Policies.

You can learn more in our docs, the iOS Quickstart and the Android Quickstart.

User MFA enrollments can be imported using either the automatic migration or the bulk user imports method, allowing flexibility and control over the import process.

The supported enrollment types are:

• Email: for email verification
• __ Phone:__ for SMS verification
• TOTP: for One-Time Passwords (OTP) used with authenticator applications, such as Google Authenticator, Microsoft Authenticator, Authy, Duo, etc.

Get started by reading Import Multi-Factor Authenticators

Log streaming is now GA. You can now stream events to AWS Eventbridge, Datadog, and other targets using the Webhook.
Additionally, we provide more visibility into stream health to help debug potential issues during stream setup.

Auth0 now supports integrating Log Streams with Datadog, and can stream your tenant's log events directly to your Datadog account in near real-time.

Auth0 subscribers can now rotate and revoke the Signing Keys that are used to sign assertions sent to their clients, via the Manage Dashboard or API.

Read more in our docs.

Auth0 now offers a way use any SMS Provider to deliver SMSs with a new extensibility Hook.

Read more in our docs.

Auth0 now offers Refresh Token Rotation (RTR) with Reuse Detection, which provides a secure method for using refresh tokens in SPAs while providing end-users with seamless access to resources without the disruption in UX caused by browser privacy technology like ITP. RTR is available to all customers in public cloud as of April 15, 2020, and is scheduled to be available in Private Cloud in May. Read more about this on our blog.

Accelerate user migration with an enhanced bulk user import with expanded support for common password hashes.

Auth0 enhanced bulk user import with expanded support for common password hashes. Auth0 now supports importing user passwords hashed with the following algorithms: Argon2, bcrypt (now supports custom number of salt rounds), HMAC, MD4, LDAP, MD5, PBKDF2, SHA1, SHA256, and SHA512.

This enables you to import users to Auth0 from legacy systems without requiring end-users to reset their passwords. The new custom password object supports a wide array of parameters as well as the ability to upsert (or update) for subsequent import jobs.

To get started go to Bulk User Imports. Want to check if we support the hashing algorithm you use? Go to Bulk User Import Database Schema and Example for details on the specific hash algorithms, parameters, and encodings we support.

We've added support for directing users to the signup page in the New Universal Login Experience. Read more.

We now support Webhooks (Beta) for your log events! Auth0 can stream events to your callback URL in near real-time.

We've added support for creating and managing Auth0 hooks via the management API, the Node.js SDK, and the deploy-CLI tool. Read the API Documentation and the Deploy-CLI README for more details.

We've added support for embedding passwordless login in Native and Regular Web Apps. Read more.

We’ve added a new extensibility hook: Post-Change Password Hook BETA Customers using Database Connections, can implement custom actions that execute after an end-user changes their password or after a tenant admin updates an end-user’s password. For example, you can trigger an email to confirm a password change.

Get started by checking out the documentation on hooks here. Or, if you are already familiar with hooks, browse the docs and code samples for the new post-change password hook.

We've localized the New Universal Login Experience to Hindi.

We've added a Text Customization API for the New Universal Login Experience.

Auth0 integration with Amazon EventBridge was announced, a serverless event bus. This new integration connects Auth0 event logs to a variety of AWS services in near real time, unlocking a variety of new use cases that support event-driven and microservices application architectures. Learn more here.

We added email provider support for SparkPost EU version. This release enables tenants to use SparkPost’s email service hosted in EU region for localized data protection and transiting, and to be in full compliance with GDPR for emails. Learn more here.

Requests to Auth0 Management API v2 using access tokens issued for a Single Page Application (SPA) now have a dedicated rate limit of 10 requests per minute per user. To learn more about access tokens for SPAs go here and to learn more about Auth0’s rate limit policy go here.

In order to make the Dashboard Administrators invite flow more secure and to avoid confusions, we are now enforcing that the email address of the user that logged in or signed up to accept the invite matches the email address that the invitation was sent to.

Auth0 has made the following security enhancements to one-time-passcodes (OTP) for passwordless connections:

• We will only accept the most current unused one-time password (or link) issued; any previous OTPs will expire once a new OTP is issued. - Users have three attempts to input the correct one-time password; any additional attempts will require a new OTP request. - OTPs for new passwordless connections are valid (by default) for three minutes before expiration. This time can be altered in the connection settings in the dashboard. Read more about passwordless connections or learn how to troubleshoot passwordless connections.

We've added a calendar picker on the Logs page in the dashboard.

Auth0 now enables application developers to easily integrate Sign in with Apple on both Native Apps and Web applications. SIWA for native applications is a new capability that uses an entirely native flow (the user is not required to log in using a browser; the entire exchange takes place natively) that includes an updated iOS SDK for iOS13, a new QuickStart, configuration via the Auth0 Admin, and updated documentation. With this new capability, you can offer users a consistent login experience across all your applications using SIWA as a social identity provider. Support for SIWA is available to all customers effective today. Read more here.

We've added a support for using DUO with Custom Domains

.

Our OIDC Enterprise Connection is out of beta. Please check the documentation for more information.

Subscription plans in the dashboard were updated with new pricing.

Quota reports for External Active Users were added in the Support Center

We've added a new Social connection for LINE . Please check the documentation for more information.

We've improved our beta OIDC Connection, by adding support for the Authorization Code flow. Please check the documentation for more information.

Auth0 enhanced Bulk User Import to support bulk updating select user attributes using the upsert parameter. The upsert parameter can be either set to “true” or “false” during bulk user import and it impacts “pre-existing” users in Auth0. When using bulk user import for the first time you would not bother with upsert since it is only meant to update existing records. However, if you want to run an import again on existing users (by appending more users or upserting fields on existing users), the upsert parameter may be useful. You can use this to do things like update name values from marital status changes or add pictures.

If upsert parameter is set to false (default value) during a bulk user import, pre-existing users that match on email address will not be updated. When set to true, pre-existing users that match on email address will be updated, but only with upsertable attributes. Note: Prior to this release, if you used the upsert parameter and did not specify values for app_metadata, user_metadata or email_verified, those attributes would be replaced with null values. With this update, upsert will not replace those attributes will null values and you can now more efficiently implement bulk user imports for the following select attributes.

• app_metadata
• email_verified
• given_name
• family_name
• name
• nickname
• picture
• user_metadata

There is no action required by you and you can start taking better advantage of the Bulk User Import capability today. To get started check out the Bulk User Imports documentation and to see a full list of attributes supported see our User Profile Attributes.

As with many other changes to our product, this improvement came from feedback from our valued community. So, if you have feedback on how we can continue to make our product better, please let us know through this form. We're always listening and it is super easy!

Prior to this release when managing users via Database Connection, Bulk User Import, or Management API v2 the username field was restricted to alphanumeric characters, “+”, “.”, “_” and “-”. Auth0 added support for “!”, “#”, “$”, “'”, “^”, “`”, “~”, and “@”. In addition, Auth0 Universal Login supports these characters upon username registration to a Database Connection.

This enhancement simplifies user migration from systems like Microsoft Azure Active Directory or custom databases, where usernames often contain special characters. At Auth0 we are always looking for ways to simplify onboarding and get started faster.

There are no immediate changes you need to make to your existing setup and you can start taking advantage of this right away. To learn more, please visit our Adding Username for Database Connections documentation.

This improvement came by way of feedback from people like you. We’d love to hear from you on how we can further improve the product. It is super easy and we’re always listening. Welcome you to contribute product feedback here.

We enhanced security with a new option in advanced tenant settings to prevent exposure of registered user information

Auth0 has released a security enhancement in your advanced tenant settings that will help protect against exposure of registered user information. Bad actors may attempt to guess registered usernames or email addresses by reading error response codes such as user_exists in the public signup API.

You can set this option in your advanced tenant settings in the Auth0 dashboard or via the Management API v2. New tenants will have this option enabled by default. We highly recommend that you take advantage of this option to prevent exposure of personal information.
To learn more, please visit our Tenant Settings in the Auth0 Dashboard documentation.

We've added a dropdown to filter logs by type on the Logs page in the dashboard.

We've shipped a beta version of an OIDC Connection, that makes it simple to federate to OIDC Identity Providers. Please see the documentation for more information.

We've enhanced the platform by adding support for the OAuth 2.0 Device Authorization Grant (Device Flow). Device flow enables end-users to authorize input-constrained devices with Internet connectivity (http) to access protected resources such as streaming media, online services, or account information. Examples of input constrained devices include, but are not limited to Smart TVs, Media Players (AppleTV, Roku), some consumer IoT devices, and CLI applications with no access to a browser or graphical shell. For detailed information, please see the documentation and the tutorial. You can also have a hands-on experience using the Device Flow Playground, which enables you to experience the flow using your own tenant without having to write any code.

The new Universal Login Experience is Generally Available. Try it now to benefit from a reimagined login flow, a with a fresh UX design and lightweight pages.

We've added beta support for 'Sign in With Apple'.

We've localized the New Universal Login Experience.

We've added support for using Email as an MFA factor in the New Universal Login Experience.

We've added a way to enable clickjacking protection in Classic Universal Login.

We've added a way to enable clickjacking protection in Classic Universal Login.

We've added support to configure the default tenant login URI and the Application Login URI in the dashboard.Learn more.

We've added a new API endpoint to let you force MFA the next time a specific user logs in.

Select user profile attributes may now be updated, thereby eliminating reliance on user_metadata for those fields. In addition, we've made importing users easier by allowing hashed passwords, user ID, and blocked status to be imported. For additional information, you can read more in the User Documentation for Updatable Profile Attributes and Bulk Import.

We've added support for custom domain names to the Delegated Admininistration extension and the SSO Dashboard extension.

You can take advantage of custom domain support by upgrading your extensions via the Auth0 Dashboard. For more information on how to utilize custom domain names, please see the extension documentation:

• SSO Dashboard- Delegated Administration

We've added encrypted secrets support to the Bitbucket Deployments extension, Github Deployments Extension, the Gitlab Deployments extension, and the Visual Studio Team Services Deployments extension.

You can take advantage of encrypted secrets support by upgrading your extensions via the Auth0 Dashboard. For more information on how to utilize encrypted secrets, please see the extension documentation:

• Bitbucket Deployments Extension- Github Deployments Extension- Gitlab Deployments Extension- Visual Studio Team Services Deployments Extension

We've added ES9 linting support to the Rules editor.

The Rules web editor now supports linting in ECMAScript 9 syntax when used with Node.js 8.

We've added more granularity to the M2M reports.

Now a daily view of calls per application, for the last 7 days in Machine to Machine quota reports is available.

This is reflected in the Support Center's quota reports.

We've added support to use Azure AD + MS Graph for Microsoft Social connections. Learn more.

We've have added roles and permissions to the core capabilities of Auth0. In authorization, a user or application is granted access to an API after the API determines the extent of the permissions that it should assign. Usually, authorization occurs after identity is successfully validated through authentication so that the API has some idea of what sort of access it should grant.

More information is available in the updated documentation.

We've enhanced Auth0 rules so that they can now leverage the MFA context stored in the user session to trigger or suppress MFA prompts in conjunction with silent authentication.

Many organizations want to use silent authentication in conjunction with MFA whereby the end-user is prompted for MFA during the initial authentication, but not prompted for MFA when renewing tokens during the session lifetime. With MFA context now available in rules, you can check to see if MFA was previously completed (and when), thereby enabling a superior and secure MFA + silent authentication experience for end-users.

More information is available in the updated documentation, the sample rule available in the Auth0 dashboard, and in the Auth0 Support Center

We've extended Auth0 session limits for Enterprise subscribers.

Enterprise subscribers are now able to set longer session limits with up to 100 days for Inactivity Timeout (idle_session_lifetime) and 365 days for Forced Logout (session_lifetime).

More information is available in the updated documentation and in the Support Center</>

Fixed error handling in Dashboard’s Logs Search. Also fixed search hint and added link to Query Syntax doc.

We've added support to use LinkedIn API v2 to authenticate. Learn more.

Fixed quota utilization report for Private SaaS Employees in Support Center.

Previously employees were included on the Enterprise or Regular active users reports, with this fix the Private SaaS employees usage will be accessible on the Employees report as expected.

This is reflected in the Support Center's quota reports and will provide usage for appliances that are upgraded to version 1901

We added a way to specify the default login URL for applications and tenants. Auth0 will use when it needs to redirect to them. More details in the docs.

We've updated the Multi-factor Authentication section in the Dashboard. For more details check our post in Auth0 Community, and our public Docs.

Version 2 of the Deploy CLI has been released! For complete details please see the Deploy CLI README. You can upgrade to this version by installing via npm: npm i -g auth0-deploy-cli@2.

The Deploy CLI tool and Deployment Extensions were updated to provided the following functionality.

• Added YAML support- Added support for export (deprecation of separate auth0 dump tool)- Delete support - The tool will, if configured via AUTH0_ALLOW_DELETE, delete objects if they do not exist within the deploy configuration.- Support for additional Auth0 objects
  • Connections including Social, Enterprise and Passwordless configurations. - Improved support for database connections and associated configuration. - Email Templates - Email Provider - Client Grants - Rule Configs - Better support for pages - Tenant level settings
• Added support to be called programmatically- Improved logging- To simplify the tool the slack hook was removed. You can invoke the tool programmatically to support calling your own hooks- Support referencing clients by their name vs client_id (automatic mapping during export/import)- Simplified to support future Auth0 object types

We’ve updated our ticketing backend system in order to provide a better support experience to our customers. Although this is an internal migration, you may notice some minor changes in Support Center:

• We've changed the numbering scheme of the support tickets and they are now 8 digits long.- We assigned new IDs to the existing tickets, which may affect any email notification related to your open tickets. You will still be able to find your existing tickets by their original ID in the Support Center's Tickets List page.- Any link to an existing ticket in Support Center will continue to work and will redirect you to the new URL.- We’ve renamed the open ticket status to in progress.- We’ve renamed the solved ticket status to resolved.- We’ve renamed the hold ticket status to customer hold.- We’ve added a new with sustainment status to provide visibility whenever the Auth0 Sustainment Engineering team is working on your case.- The attachments that you may add to tickets and comments will be effectively uploaded after you submit the ticket or comment. Any error that may occur during the upload will require you to retry the upload by submitting a new comment.- When selecting a file to upload we now validate its size is less than 15Mb, it doesn’t contain invalid characters in its name and it has at least one of the following extensions: bmp, csv, doc, docx, gz, gif, har, jpg, jpeg, json, mp4, mov, pages, pdf, png, ppt, pptx, rar, tar, tiff, tif, txt, xls, xlsx, xml, zip, htm, html.- We now show Auth0 Developer Support as signature of any comment coming from the Auth0 Support Team, instead of showing the agent's name.

If you have any feedback, it will be welcomed in our Feedback page.

We've made password policies more flexible by enabling the minimum length (number of required characters) to be set independently from other complexity options.

Password policies can now require a greater number of characters (from 1-128) without requiring special or mixed-case characters. A common use-case is implementing pass phrases that have no special character requirements, where end-users can provide a series of words that are easy for them to remember, but difficult for hackers to guess. The National Institute of Standards and Technology (NIST) recommends that password length is a greater indicator of over-all strength than requiring numbers and special characters. Using the new minimum password length option, password policies can be configured to leverage extremely strong, high-entropy pass phrases that are easier for end-users to remember.

More information is available in the updated documentation and in the Support Center</>

Additional connection information available in rule's context.

Previously only connection name and strategy were available in the rule’s context object. Now it is also possible to access connectionID, connectionMetadata and two of the connectionOptions, tenant_domain and domain_aliases, without calling Management API to get the connection details. More details on the context schema can be found in the Rules docs.

We've also updated the Check user email domain matches domains configured in connection rule template to make use of these enhancements.</>

Simplified SSO and provided additional configuration

Added Seamless Single Sign-On support by eliminating the unnecessary confirmation dialog for people with an active session. In addition, we've added control over the Inactivity timeout length and consolidated all of the SSO session controls on the advanced tenant settings page. More details in the SSO docs.

Changed the ticket categorization on the ticket creation form.

For the purpose of improving the way we capture the information on the ticket we have made some changes to the ticket creation form. You can view the new changes in the open ticket page.

Changed how we count active users.

Previously we counted each Active User that logged into each client/application in a tenant. If your tenant had App A and App B, and one user logged into both apps, that would count as two Active Users.

Moving forward we will count per Active User within a tenant and no longer count per client/application. If your tenant has App A and App B and one user logs into both apps, they will be counted as one Active User.

This is reflected in the Support Center's quota and usage reports, in the Auth0 Pricing Page and the Management Dashboard Subscriptions Section.

More info can be found on our docs.

Version 3 of the Delegated Administration Extension was released. For complete details please see the Delegated Admin docs. You can upgrade to this version by visiting the Extensions section in the Manage Dashboard. No configuration changes are anticipated to be required for the upgrade.

Improved Dashboard UX for Machine to Machine Applications. More details in the Machine to Machine docs.

Improved Quickstarts Download Page.

Implemented a new MFA API. Embed Multi-Factor Authentication using push notifications, SMS, or TOTP anywhere, taking full control of the experience. More details in the blog: https://auth0.com/blog/introducing-the-mfa-api.

Implemented support for Passwordless connections, AP/LDAP connections and WS-Fed clients in Custom Domains. Here is the list of features supported by Custom Domains>

Enabled self-service customers to pay for Machine to Machine applications. Previously it was a feature only available to Enterprise users. This is reflected in the Auth0 Pricing Pages and in the Management Dashboard Subscriptions Sections.

Renamed the term Clients to Applications. This change is reflected throughout the Dashboard and documentation only and does not require any changes on your part.

Added the ability to define Custom Domains for your Auth0 tenant. More details in the blog https://auth0.com/blog/introducing-custom-domains-preview-with-auth0.

A new Auth0 Spring Security API SDK is now available to help you secure your API using JSON Web Tokens. See the changelog entry for more information.

wp-auth0 - Updated to support Lock 11 and RS256 JWT. See the changelog entry for more information.

Improved Credentials Manager, deprecated touch method and replaced with bio authentication method for clarity. See the changelog entry for more information.

Auth0.js v9 uses our latest embedded login API. This version removes API calls to usernamepassword/login and user/ssodata and is not supported in centralized login scenarios (i.e. Hosted Login Pages). Some methods now use a mix of Cross Origin Authentication and WebAuth.checkSession (with Web Origins response mode). Read more about Cross Origin Authentication and how to enable Web Origins here. See the changelog entry for more information.

Updated to use auth0.js v9.0.0 and the new API endpoints. Changed the default scope to be openid profile email. Removed oidcConformant flag (Lock won't use legacy endpoints anymore). getProfile now uses an access_token instead of an id_token. Lock v11 is not supported in centralized login scenarios (i.e. Hosted Login Pages). See the changelog entry for more information.

The Auth0-Java SDK adds support for the new users-by-email endpoint. It also allows to set a custom user id when creating a new user using the Management API, and includes a change in the Authentication API Sign Up methods' returned value that someone might find breaking. This change was required in order to return the just created user's information. See the changelog entry for more information.

The Auth0.Android SDK adds support for TLS 1.2. See the changelog entry for more information.

Updated to use auth0.js v8.11. Updated to use auth0.js token validation functions. See the changelog entry for more information.

Version 0.3.0 of jwks-rsa-java has been released, where JWKs parameters 'key_ops' and 'alg' are now parsed according to the specification.

Security Improvements:

• Fixed an issue where state would not be automatically checked in some scenarios- Forced id_token validation for RS256-signed id_tokens- Use /userinfo to get id_token payload for HS256-signed id_tokens See the changelog entry for more information.

The Java-JWT SDK fixes an issue affecting the length and format of the signatures produced by the Elliptic Curve Digital Signature Algorithm. See the changelog entry for more information.

Auth0.swift - Added SFAuthenticationSession support for iOS 11. See the changelog entry for more information.

Lock for Android fixes navigation issues on non-touchscreen devices and adds support for right-to-left languages. See the changelog entry for more information.

The Auth0.Android SDK adds a new and more secure Credential Manager implementation that uses encryption, available for devices running Android Lollipop and above. This release also allows users to customize the Custom Tabs UI by changing the toolbar color and page title visibility from the WebAuthProvider builder. See the changelog entry for more information.

wp-auth0 - Fixed implicit mode in auto login and improved handling of auto login configuration. Added translation support for more user facing exception messages. See the changelog entry for more information.

The Auth0.Android SDK fixes a few bugs in the authentication flow and activity state when using Chrome Custom Tabs. See the changelog entry for more information.

JWTDecode.swift - Added Xcode 9 compatibility. See the changelog entry for more information.

Adding support for OIDC Conformant clients using Cross Origin Authentication. See the changelog entry for more information.

Small UI fixes and improvements with the connectionResolver feature. See the changelog entry for more information.

Lock.swift - Added Xcode 9 compatibility, various fixes to the database SignUp process. See the changelog entry for more information.

Added the ability to set the user_id during user creation using the User Management API. For more information, check our documentation.

Fixed tenant override in popup mode. Also fixed the timeout override when using the renewAuth method. See the changelog entry for more information.

Auth0.swift - Added Xcode 9 support. See the changelog entry for more information.

The Auth0-Java SDK adds support for the Management API Grants entity. See the changelog entry for more information.

New clients created in the dashboard will default to OIDC Conformant. The full list of changes this implies can be found here.

Fixed allowed Regular Expression for usernames. Also fixed custom themes for custom connections along with some UI improvements. See the changelog entry for more information.

Fixed snake casing app_metadata and user_metadata on sign up. See the changelog entry for more information.

Added Cross Origin Authentication support to Passwordless connections. See the changelog entry for more information.

Added the ability to set the primary user in rules using context.primaryUser. Check our documentation for more information.

The DELETE client grants endpoint now allows to delete all grants for a given user by specifing the query string parameter user_id.

Now the 'Use Auth0 for SSO' flag under Client Settings is disabled for OIDC Conformant clients.

Lock for Android now makes use of 'Android Manifest Placeholders' to define the Domain and Scheme values required to automatically capture a Web Authentication result, like logging in using the Facebook connection. See the changelog entry for more information.

The Auth0.Android SDK now makes use of 'Android Manifest Placeholders' to define the Domain and Scheme values required to automatically capture a Web Authentication result. See the changelog entry for more information.

Fixed an issue with the HRD input when using the back button. See the changelog entry for more information.

Added a new option called connectionResolver, which is used to resolve the desired connection on the fly instead of setting it beforehand. See the changelog entry for more information.

Lock for Android now features a 'show password' toggle button on the Password fields. See the changelog entry for more information.

The Auth0.Android SDK will try to use Chrome Custom Tabs when possible. A helper class is included to easily manage Credentials. See the changelog entry for more information.

Fixed an issue where the ACR value was not being properly set when in a SAML context.

MFA no longer incorrectly preventing brute-force anomaly detection count resets.

Auth0.swift - Added OIDC conformant UserInfo class and API method, added Touch ID validation for renewing credentials and added iOS 11 (Beta) support. See the changelog entry for more information.

Fixed an issue with Internet Explorer 11's autocomplete. Also fixed connection_scope not being passed to the authorize page. See the changelog entry for more information.

Added more analytics events and also added a new option that enables a button that shows or obfuscates the password. See the changelog entry for more information.

Fixed an issue where the user was being asked to perform MFA despite having clicked the 'Remember Me' checkbox.

Fixed an issue with Passwordless connection inside the Hosted Login Page. See the changelog entry for more information.

The GET client grants endpoint now allows filtering by client id using the query string parameter client_id.

Started emiting an authorization_error when username / password fails. Also fixed a few UI issues on mobile and some options overrides not being passed to auth0.js. See the changelog entry for more information.

Added support for html formatting when using the flashMessage option. Also added a new option allowAutoComplete that enables the autocomplete html5 attribute in the username input. See the changelog entry for more information.

Auth0.swift - Added Credentials Manager utility for secure management of tokens. Updated compatibility for Xcode 8.3 See the changelog entry for more information.

Added a new client.grant_types property to Auth0 Clients. With this change, Auth0 will restrict authentication and authorization flows based on the grant types associated with each client. All existing clients have been updated with all grant types for backward compatibility. New clients will be created with certain default grant types based on whether it is a public or confidential client (based on the token_endpoint_auth_method property). See our documentation for more information.

Lock.swift - Added 1Password support for database connections. Greatly expanded Lock customization options. See the changelog entry for more information.

• Added support to query by identifier on PATCH / GET / DELETE api/v2/resource-servers endpoints.- Added pagination to GET api/v2/clients endpoint.

Removed client.resource_servers from documented sample response.

Added option postMessageType to filter iframe events in order to prevent incorrect events triggering the renewAuth callback. Also added support for Cross Origin Authentication. See the changelog entry for more information.

Published new SDK for Java (auth0-java-mvc-common) to simplify the web authentication from Java MVC applications using either Code Grant or Implicit Grant. Supports HS256, and RS256 algorithms with optional Public Key Rotation. See the changelog entry for more information.

The Java Spring MVC SDK has been deprecated and will no longer be maintained. Development will continue on the auth0-java-mvc-common SDK.

The Java Spring Security MVC SDK has been deprecated and will no longer be maintained. Development will continue on the auth0-java-mvc-common SDK.

The Java Servlet SDK has been deprecated and will no longer be maintained. Development will continue on the auth0-java-mvc-common SDK.

Fixed some overriden options not being applied. Also fixed decoding babse64 strings with special characters. See the changelog entry for more information.

The Auth0-Java SDK adds support for the new OAuth 2.0 Renew and Revoke Token endpoints. The Guardian entity has also been improved. See the changelog entry for more information.

• Officially dropped support for Microsoft’s Internet Explorer 10.- Fixed issue in the APIs section’s Test tab: changing languages in the code viewers now change the language properly.- Fixed visual issue with code editors backgrounds in the User Details section when using Chrome in Windows 10.- Fixed overflowing of text when users have huge strings without spaces or breaks in their External Attributes Object.- Fixed issue with Delete Account prompt showing a default domain name instead of the correct domain for that account.- Fixed issue with positioning for SAML connections list pagination controls.- Fixed issue when uploading custom logo in Tenant Settings section would crash the browser.- Fixed issue with users with special characters in their IDs that could not be seen in the dashboard.- Improved UI for User Identities in User Details: replaced the old JSON viewer for a better-looking code editor.- Fixed SAMLP default mappings example to avoid getting parsing errors by default.- Now the API section is displayed by default.

New connection for PayPal Sandbox applications, it can be found in Social Connections in dashboard

The postMessage handler now supports parsing objects as well. See the changelog entry for more information.

Fixed a few UI issues with long titles and error messages. See the changelog entry for more information.

The Java-JWT SDK adds a 'Key Provider' interface to support dynamic RSA or ECDSA Keys, making easier the use of JWKs files for token verification. Long claims are also supported. From this release on, the JWT#decode static method will return a DecodedJWT object instead of a JWT object. See the changelog entry for more information.

The Auth0.Android SDK allows to revoke refresh_tokens. See the changelog entry for more information.

Lock for Android adds Paypal connection support and displays a Retry screen if it fails to load the Client settings. See the changelog entry for more information.

Lock.swift - Added Passwordless SMS/Email connection support, paypal-sandbox connection support. See the changelog entry for more information.

Added support for the paypal-sandbox strategy. See the changelog entry for more information.

Fixed a few UI issues with mobile in landscape mode. See the changelog entry for more information.

Fixed an issue with nonce verification in the renewAuth method. See the changelog entry for more information.

Server-side resource-owner password flows that use brute-force detection can now prevent erroneous blocking scenarios by utilizing the 'auth0-forwarded-for' header. See the documentation for more details.

The Auth0.Android SDK on the event of a Rule error while trying to authenticate will parse any rule-defined custom error message. See the changelog entry for more information.

Added multifactor authentication capabilities to the oauth/token endpoint. See the documentation for more details.

• Fixed outdated link in Sharepoint SSO Integration tutorial page.- Improved error message in the Email Templates section when the from field is not properly filled.- Fixed UI for form validations so they don’t linger after a successful submission of the form.- Added read:user_idp_tokens to available scopes for the Management API.

Auth0.swift - Added method to check native authentication availability for IdP on device. See the changelog entry for more information.

Fixed an issue with the error handling callback. See the changelog entry for more information.

Fixed a few UI inconsistencies with the username input. Also started disabling social buttons when terms were not accepted on sign up. See the changelog entry for more information.

Auth0.swift - Added scope support to the renew method. See the changelog entry for more information.

user.last_password_reset will now be set immediately when the user changes their password, instead of waiting for the next login.

Auth0.swift - Added Connection Scopes to webAuth and creation of webAuth instances from authentication instances. See the changelog entry for more information.

Fixed an issue when parsing a url fragment and the state had special characters. Also fixed an issue with incorrect error messages. See the changelog entry for more information.

Lock.swift - Added connection scope support for OAuth2 connections and added native authentication handler support. See the changelog entry for more information.

Fixed the error Nonce does not match when state option contains special characters. Also fixed popup authentication not being called with all the options. See the changelog entry for more information.

Added Evernote strategy. See the changelog entry for more information.

• Added functionality to filter-as-you-type the tenant list in the tenant dropdown for tenant lists with more than 10 tenants in them.- Updated UI for the <app_metadata> and <user_metadata> properties, in the User Details section, to feature a full-featured editor with code folding.- Renamed the “Setup” button in SAMLP connections list to “Setup Instructions”.- Fixed a series of issues with dashboard invitees:
  • Prevent non-owners from entering the “create SSO Integrations” route. - Prevent non-owners from entering the Logs section. - Prevent non-owners from entering the account sub-sections (Admins, Payment, etc.).
• Updated UI for Dashboard Admins to fix XSS vulnerability when deleting dashboard admins and relocated the row to add an admin to always be on top of the list to avoid scrolling in long lists.- Updated UI for User Details to account for long <name> and <username> properties by truncating them.- Added the possibility to save Sharepoint SSO Integrations <external URLs> as a comma-separated list to set multiple of them.

Added support for read:user scope when using Github social connections

Lock for Android Passwordless flow can now remember the identity of the last person who successfully signed in. See the changelog entry for more information.

Started sending owp param in popup mode. See the changelog entry for more information.

The Auth0.Android SDK adds the Management API's GET User Profile endpoint. See the changelog entry for more information.

Fixed a few UI issues. Started filtering parameters send to the /authorize endpoint. See the changelog entry for more information.

Added checkbox as a custom input type for the option additionalSignUpFields. See the changelog entry for more information.

Added flag _idTokenVerification to disable id_token verification for legacy clients. See the changelog entry for more information.

Updated the UI for the API Explorer tab to be able to configure the token expiration for the Management API.

Rules will now run when calling oauth/token with grant_type: password or grant_type: refresh_token. For more information, check out our documentation.

Guardian Authenticator for Android is now capable of scanning and managing any generic TOTP key.

Added a new property <description> for Clients, a free-text field to describe the client’s purpose.

Released new Lock for iOS version written in Swift and migration guide to help the transition.

Auth0.swift - Added Native Authentication support and fixed support for OIDC conformant profiles. See the changelog entry for more information.

Published new SDK for Java (auth0-java) that supports Authentication API OAuth 2.0 endpoints and most of the Management API entities. See the changelog entry for more information.

Added enhancements to SAML Single Logout to conform to the Single Logout Profile specification. With these enhancements, all SAML Service Providers you have configured for logout will be sent a LogoutRequest to the logout.callback URL you have configured in the SAML Add-on. If your Service Provider does not support Single Logout, you can set logout.slo_enabled: false in your SAML Add-on configuration. For more information, check out our Logout documentation and SAML configuration documentation.

The Java-JWT SDK can now handle Array claims and return the Payload claims as a Map<String, Claim>. See the changelog entry for more information.

Published auth0.js v8 and migration guide to help the transition.

The Auth0.Android SDK adds a flag to decide if the API calls should be made using Open ID Connect conformant or Legacy endpoints. See the changelog entry for more information.

Lock for Android now supports the use of custom URL schemes for Web Authentication. The Implicit Grant has been deprecated. See the changelog entry for more information.

Consolidated brute-force detection into a single Shield.

Auth0.swift - Added support for password-realm.grant_types and refresh_token.grant_types. Additional smaller changes have been made to support OIDC. See the changelog entry for more information.

The Auth0.Android SDK now supports sending audience value on Web Authentication. See the changelog entry for more information.

Published new Java SDK (java-jwt) for Json Web Tokens verification and signing. Supports HMAC, RSA and ECDSA algorithms. See the changelog entry for more information.

It is now possible to pre-enroll users into Guardian via an enrollment email. See here for more information.

Added client flag to disable SSO (sso_disabled) which can be set using the Management API. When this flag is set to true, an Auth0 session will not be created for any authentication using that client.

Added expires_in to oauth/token endpoint

Upgraded Auth0 hosted login page to Lock 10.7.

The Auth0.Android SDK prepares to conform with Open ID Connect and adds the /userinfo and /oauth/token endpoints. Multiple response_type values are supported as well. See the changelog entry for more information.

Published new mobile SDKs for iOS (Guardian.swift) and Android (Guardian.Android) to make it simple to build custom Guardian mobile applications.

Lock for Android now allows to specify a custom Scope. See the changelog entry for more information.

nonce parameter is now mandatory if you are using implicit grant flow

Released new version of Lock for Web with several bugfixes and improvements including support for custom OAuth2 connections. See Lock's changelog for more information.

Release of the UI-less client libraries for Guardian, allowing users to build custom Guardian widgets. See the library here for more information

Double quotes in assertions caused invalid SAML signature.

Added new Tenant settings for:

• default_audience - Specifies the audience that clients will receive as a default if one isn't explicitly requested- default_directory - Specifies a default directory connection to use when using password grant flow

Published new Android focused SDK (JWTDecode.Android) for decoding Json Web Tokens (JWT). See the changelog entry for more information.

Verification email does not display given_name attribute for custom DB.

Lock for Android now uses Browser instead of WebView by default for authentication. See the changelog entry for more information.

Added paging to Database Connctions page to support large volume of connections

Published new mobile SDKs for iOS (Auth0.swift) and Android (Auth0.Android) to make it simple to build custom login screens using Auth0.

Auth0 Guardian now allows users to choose to 'remember this browser' and not be prompted for MFA for 30 days from a known system.

It is now possible to disable automatic SMS and email notifications during Passwordless user creation. See the docs for more information.

When a user hits the rate limit for the delegation endpoint, log entries will now be visible in the tenant logs.

SSO Session Timeout can be customized in Tenant Settings > Advanced. This allows you to specify how long the SSO Cookie is valid.

You can now opt-in to preview the new OAuth2aaS pipeline in Account Settings > Advanced. This enables support for Advanced API Authorization scenarios including user consent.

Released new major version of Lock for Android with redesigned UI and new features like custom OAuth2 connections support, password policy, etc. See the docs for more information.

Fixed error when custom DB scripts are set to null

Database Connections now allow customizing the minimum and maximum length for usernames, up to 128 characters. This only applies if Require Username is on.

Renamed the Delete All Users endpoint from DELETE /api/v2/users to DELETE /api/v2/allusers to avoid accidental deletion of users.

Add oid claim to Azure AD user profiles

Update response from Device Credentials endpoint to include type and user_id.

SAML Response is now displayed in Tenant Logs when Debug Mode is enabled in the SAML Connection.

Added the ability to regenerate Guardian recovery codes. Please visit our documentation for details.

Auth0 Guardian is now officially released -- a new and convenient way to perform multifactor authentication for logins. Guardian features 'push-notifications' as well as other standard authentication flows. See our full announcement here.

Added ability to specify Client Logo on the client API

Releasing password breach detection, which protects Auth0 users in case their password is leaked via a breach at a different provider. Auth0 monitors announcments of breaches from other providers, and checks Auth0 users against the list of leaked accounts. In case of a match, the user will be prevented from logging in until their password is reset.

Guardian template is now customizable via the Hosted Pages section.

Fixed issue with Account Un-Linking where the secondary account would not show up in the Users list after being Un-Liked. Now, when Un-Linking two linked accounts, the secondary account will be restored and visible in Users.

Bulk Import API has been upgraded with the following changes:

• Added option to specify if the operation should should insert or upsert - Added external_id parameter. The value is user defined and is returned with Job status; can be used for correlating multiple jobs. - Job Status shows summary totals of successful/failed/inserted/updated - Added ability to retrieve failed entries via API call to GET /api/v2/jobs/{id}/errors - Job Status is added to Tenant Logs which allows a custom WebHook to be trigged using the WebHook Logs Extension

The API now has the ability to manage Guardian configuration. Please visit our documentation for full details.

The Bitbucket Deployments extension allows you to deploy rules and database connection scripts from Bitbucket to Auth0. You can configure a Bitbucket repository, keep all your rules and database connection scripts there, and have them automatically deployed to Auth0 each time you push to your repository.

The /authorize endpoint now supports response_mode=form_post when the response_type is either id_token or code token.

For example:
/authorize?response_mode=form_post&client_id=…&redirect_uri=…&response_type=id_token

Added password policy support for Password Dictionary and Password Personal Data.

Password Dictionary, when enabled, prevents the use of common passwords and allows for setting a custom dictionary with up to 200 entries.

Password Personal Data, when enabled, prevents using personal data in the password, such as the user's name, parts of the email address, etc...

Added ability to change Email for users in Passwordless connections.

Auth0 now supports full Client Credentials flow for API Authorizations. This allows server to server authorization for things like scripts, backend services, daemons, or any app that does not need to operate as a user.

Enabling the API section can be done via Account Settings or by adding a new Non Interactive Client.

The Application section in the Auth0 Dashboard has been renamed to Clients to clarify the distinction between APIs and Clients.

This is the first step we are taking towards more complex API authorization scenarios. Other flows, such as User Consent, will be added in the near future. Please visit our full documentation for detailed information about API Authorization.

Added support for Twillio Copilot in Passwordless Connections.

Support for Fitbit OAuth2 apps. Added an upgrade mechanism for OAuth1 (deprecated) connections.

If a user requests multiple passwordless links/codes, emails may not arrive or be displayed in the correct order. Up till now, only the last code issued was valid, causing issues when opening the wrong email. This change allows the last 5 codes sent to be valid, but once one is used, the rest are invalidated.

The GitHub Deployments extension allows you to deploy rules and database connection scripts from GitHub to Auth0. You can configure a GitHub repository, keep all your rules and database connection scripts there, and have them automatically deployed to Auth0 each time you push to your repository.

Added Password History support to Database Connections' password policies.

Added support for the new Firebase SDK v3.

Introduced a new tenant settings flag enable_client_connections that will allow customers to switch between 2 flows when creating clients (Applications):

• When creating a new client, create and enable existing connections (current flow, default) - When creating a new client, create but don't enable my existing connections (new flow)

This setting can be turned off in Account Settings > Advanced > Settings > Enable Client Connections or via the API using the GET /api/v2/tenants/settings endpoint.

Extensions gallery now supports documentation. From now on, you will be able to check documetion before and after installing an extension.

Added support for Bitbucket and Dropbox social connections.

If you are using Lock, please upgrade to v9.2.0.

Provided access to the language in passwordless email templates

Remove support for JSONP on the /ssodata endpoint. The "Last time you logged in with" feature will no longer be supported on IE 9.

Integrate Rules Debugging with Real-time Logs extension

We shipped 7 new logging extensions. You can now export Auth0 logs to one of the following external systems:

• Auth0 Logs to Papertrail- Auth0 Logs to Sumologic- Auth0 Logs to Splunk- Auth0 Logs to Logstash- Auth0 Logs to Mixpanel- Auth0 Logs to Logentries

Export operation executes at configurable intervals to ensure you always have access to recent logs.

New Extension: Real-time Webtask Logs

This extension gives you the possibility to access to Webtask Logs in real-time.

Added logout returnTo URL validation. If the returnTo URL is not in the Allowed Logout URLs list, the request will be rejected. See the docs for more information.

New Extension: Authorization Dashboard

This extension gives you the possibility to manage group memberships for your users.

Group Management

Allows you to create groups with a name and a description. Users can be added and removed from groups. This can happen by opening the group and managing users from there, or by opening the user and manage the user's group memberships from there.

User Management

Besides managing everything from the group point of view you can also open a user and manage his/her group memberships there but also see the "calculated" group memberships for that user.

Application Access

In Auth0 the application access is very coarse grained. All users in a connection that is enabled for the application are able to access the application. With this extension you are now able to take this a step further. You are able to define that only groups "Fabrikam Management" and "Fabrikam Finance" are able to access the "Reporting App" containing reports about the company's financials.

Added a new property on the client entity to allow users to specify how the client is going to perform authentication with the token endpoint. Values are none, client_secret_post and client_secret_basic. The none option is introduced for native applications which can’t store secrets and use PKCE (see https://tools.ietf.org/html/rfc7636)

We included an extra validation in the /tokeninfo endpoint to verify that the account name in the URL matches the account for which the token was issued. Any call to the tokeninfo with a token from another account will return Unauthorized.

Suppressed the error message in the change password flow in order to prevent user enumeration within the message. The API now returns HTTP 200.

We deprecated the current_user_device_credentials scopes in the /api/v2/device-credentials endpoint for POST and DELETE methods. To use this endpoint we enabled Basic authentication with username and password from a database connection.

Users can now specify a list of URLs that are valid to redirect to after logging out from Auth0. The update can be done either from the Dashboard or using the Management API.

Added new ext_nested_groups option to waad connection strategy. When both ext_groups and ext_nested_groups are enabled we return all the groups that the user is a member of instead of only returning the ones that the user is direct member (for more information see this MSDN article)

The device-credentials endpoint now supports basic authentication to perform GET, POST, and DELETE requests.

Extensions Gallery updated!

This new version allows you to create your own extensions.

The flow to reset a password has been updated.

In this new flow, users enter their username or email address and receive an email with instructions to choose a new password. The old flow which required users to enter their new password and then confirm the change via email is still available but has been deprecated: it is no longer available for new tenants and existing tenants are recommended to disable it.

The flow to reset a password has been updated.

In this new flow, users enter their username or email address and receive an email with instructions to choose a new password. The old flow which required users to enter their new password and then confirm the change via email is still available but has been deprecated: it is no longer available for new tenants and existing tenants are recommended to disable it.

Extensions Gallery updated.

This new version gives users the possibility to search for an extension, easily check which ones are installed and access to more information about an extension before installing it. Also, includes new extensions such as Auth0 logs to Loggly, Auth0 logs to Azure blob storage, Auth0 logs to Application Insights, Auth0 AD/LDAP Connector Health Monitor and Auth0 Authentication API webhooks

Users can query logs using the Management API v2.

You can use the new logs endpoints to query logs. This is the new recommended way to query logs. The API v1 logs endpoints will still be functional. See more info in the docs.

The Auth0.Android SDK has deprecated the usage of the WebView for authentication. All web authentication should be done using the Browser. See the changelog entry for more information.