Asynchronous authentication and authorisation using the Client-Initiated Backchannel Authentication (CIBA) flow is now Generally Available for our Enterprise plan customers. The CIBA flow works as an asynchronous, decoupled flow across two different devices: 

 - Consumption device: initiates the authentication request.

 - Authentication device: handles end-user authentication, implemented as a custom mobile app which embeds the Guardian mobile SDK.

The flow supports the use of Rich Authorization Requests [RFC9396](https://www.rfc-editor.org/rfc/rfc9396.html) to provide contextual information to authenticating and/or authorizing users. This enables the CIBA flow to support a number of powerful use cases driven by backend client applications, such as: 

 - Customer authentication by headless devices or devices/applications with limited interaction capabilities.

 - Customer authentication in call-centre scenarios.

 - Authorising sensitive operations on behalf of yourself or a third-party e.g. a customer service Agent, an autonomous AI Agent.

For more details, see the [product documentation](https://auth0.com/docs/get-started/authentication-and-authorization-flow/client-initiated-backchannel-authentication-flow).

We're excited to announce a significant enhancement to the Tenant Member Management feature within Auth0 Teams. All tenant member management tasks can now be completed centrally within the Auth0 Teams Dashboard.

Previously, we introduced tenant member management with support for inviting and assigning dashboard users to team tenants, followed by the ability to remove access from tenants directly within the Teams dashboard.

With this release, a team owner gains the comprehensive ability to perform all Create, Read, Update, and Delete (CRUD) tasks on tenant members directly from the Teams Dashboard. This streamlines administrative workflows and provides unparalleled control over user access across your tenants.

Note: The Tenant Member Management feature is required for this functionality. This feature is on by default for all Self-Service customers and most Public Cloud Enterprise customers. It is configurable for some existing Public Cloud Enterprise customers and is coming soon to Private Cloud customers.

Please refer to the following documentation for more information.
1. [How do you edit a Tenant Member role from Auth0 Teams Dashboard?](https://auth0.com/docs/get-started/auth0-teams/tenant-member-management#edit-tenants-membership-with-tenant-member-management "Edit Tenant Member access.")
2. [I am a Public Cloud Customer; how do I verify that I have the suitable feature turned on to support tenant member management?](https://auth0.com/docs/get-started/auth0-teams/tenant-member-management#turn-on-tenant-member-management "Turning on Tenant Member Management.")

![Teams Tenant Member Management Edit](//images.ctfassets.net/kbkgmx9upatd/5QwfkRVLTvsmQGBwZ1v8zO/03318f219868f3270908b9c8ea2607a8/Tenant_Member_Management_Edit.png)


Event Streams is now available for all customers who desire to discover completed changes to Auth0 Users and Organizations as they happen.  They can do this by:
-  Creating an Event Stream in the Manage Dashboard or the Management API 
-  Configuring the Event Streams with the desired destination ([Webhook](https://auth0.com/docs/customize/events/create-an-event-stream#create-an-event-stream-webhooks- "Create a Webhook") or [Amazon EventBridge](https://auth0.com/docs/customize/events/create-an-event-stream#aws-eventbridge "Create an Event Stream via Eventbridge")) and selecting the events to receive

See the [Auth0 Docs](https://auth0.com/docs/customize/events) for further instructions.

Updating specific configuration fields for a tenant's SMTP Email Provider may require simultaneously specifying the password field used for SMTP client authentication.

We have provided additional information and timelines for enforcing this change across tenants through a dashboard and [support center notification](https://support.auth0.com/notifications/68236562d0bbf8eb81861392).

Introducing the customizable notification text for IOS Guardian SDK. With this update, apps using the Guardian SDK on iOS can now fully customize the text of their push notifications—giving you greater control over your user experience and messaging.

Enable end users to choose a different language if the automatically selected language based on `ui_locales` or the browser language header is not preferred.  By leveraging Auth0 Custom Prompts you can use your own HTML to customize the look and feel for how end-users perform the language selection on Universal Login. [Learn more](https://auth0.com/docs/customize/login-pages/universal-login/customize-signup-and-login-prompts/language-selection)![Language Selection on Universal Login](//images.ctfassets.net/kbkgmx9upatd/XQRrvqf3JIB247VTSTXF7/65f189e104e8018be47badb0145ab862/LanguageSelection.png)

Auth0 Developers can now easily and securely authenticate users on native applications by using the Android Credential Manager’s Sign in with Google.  This enables a secure and streamlined experience for end-users to login without being prompted for a password and by re-using their existing Google session on the device. [Learn more](https://auth0.com/docs/authenticate/identity-providers/social-identity-providers/google-native)
![Native Sign in with Google](//images.ctfassets.net/kbkgmx9upatd/2kRfgCc6743tlYfdNMzqMo/f03da5e2194e2b1a317014bbe4d80458/NativeSigninWithGoogle.gif)

We are excited to announce the next Early Access release of Advanced Customizations for Universal Login! This release adds support for building custom versions of Universal Login’s Device Authorization screens, the MFA voice, phone, and recovery code screens, and their matching Reset Password Challenge factors all using the new ACUL SDK.

Advanced Customizations for Universal Login enables you to build custom, client-rendered interfaces for Universal Login screens, allowing you to control every pixel of your Universal Login experience. This release allows you to building custom versions of the following screens:
* Device Code Activation
* Device Code Activation Allowed
* Device Code Activation Denied
* Device Code Confirmation
* MFA Phone Challenge
* MFA Phone Enrollment
* MFA Voice Challenge
* MFA Voice Enrollment
* Reset Password MFA Phone Challenge
* Reset Password MFA Voice Challenge
* MFA Recovery Code Challenge
* MFA Recovery Code Enrollment
* Reset Password MFA Recovery Code Challenge
* Redeem Ticket

__DX Updates__

The latest versions of the ACUL SDK and our CDT tooling all include support for these new screens.
* [Typescript SDK](https://github.com/auth0/universal-login/releases/tag/auth0-acul-js%400.1.0-beta.4)
* [Auth0 CLI](https://github.com/auth0/auth0-cli/releases/tag/v1.12.0)
* [Deploy CLI](https://github.com/auth0/auth0-deploy-cli/releases/tag/v8.8.1)
* [Terraform Provider Auth0](https://github.com/auth0/terraform-provider-auth0/releases/tag/v1.18.0)

We are well on our way to adding support for everything that Universal Login currently supports out of the box. Checkout our [online documentation](https://auth0.com/docs/customize/login-pages/advanced-customizations) to learn more about ACUL and stay tuned to the Auth0 Changelog for updates and announcements!

We are thrilled to introduce the Limited Early Access release of Federated Logout for Okta and OIDC enterprise connections! Auth0 customers now have a straightforward solution to ensure that an end user is logged out of both Auth0 and OIDC IdP sessions via the Auth0 logout endpoint. This feature is built upon the [OpenID Connect RP-initiated federated logout specification](https://openid.net/specs/openid-connect-rpinitiated-1_0.html), allowing customers to effectively mitigate security risks without the need to directly access IdP logout endpoints.

Federated logout has already been supported for a some IdPs, [listed here](https://auth0.com/docs/authenticate/login/logout/log-users-out-of-idps), as well as through the dedicated Google and Microsoft Entra ID connectors. This features expands federated logout capabilities to all OIDC Identity Providers via the generic OIDC and Okta connectors. 

To enable the Federated Logout Limited Early Access release in your Auth0 tenant, please contact your Technical Account Manager to request access.

Users can now enroll in Guardian Push directly from their mobile device—no QR code scanning required. Enrollment is supported in both the Guardian App and custom Guardian-powered apps, making setup faster and easier on mobile.

This feature gives developers real-time output from Action, Custom Database Scripts, and Custom Social Connections code when executing console.log and other similar commands.

To use the feature, navigate to the *__Dashboard > Monitoring > Action Logs__*.

What's new:
- __Connection Status:__ New connectivity status indicator for easier visualization of connection state to server stream.
- __Functionality:__ New functionalities for on demand connectivity, easier scrolling, and file downloading, which supplement the already existing ones.
- __User Experience:__ Improved user experience regarding look and feel and performance.
- __Docs:__ New docs section at: [https://auth0.com/docs/customize/actions/actions-real-time-logs](https://auth0.com/docs/customize/actions/actions-real-time-logs "Actions Real-time Logs Docs")


We’re excited to introduce Token Vault, now available in Early Access. Token Vault enables your applications to securely access third-party APIs on behalf of your users—without requiring you to manage refresh tokens or create custom integrations for a broad range of external APIs and services.

With Token Vault, Auth0 handles storing and refreshing access tokens from identity providers like Google, Github, Microsoft, and more. Your applications can then seamlessly call downstream APIs—such as Google Calendar, GitHub repositories, Microsoft Word, etc.

This feature is currently only available for Public Cloud tenants. To enable the Early Access release for your Auth0 tenant, please connect with your Technical Account Manager. 

For complete setup instructions and more, refer to the [Token Vault documentation](https://auth0.com/docs/secure/tokens/token-vault).

To learn about using Token Vault with Auth for GenAI, visit [Call Other's APIs on User's Behalf | Auth0](https://auth0.com/ai/docs/call-others-apis-on-users-behalf).

Let the API access magic unfold!

We're super excited to announce the developer beta of Auth0 MCP Server to make tenant management conversational, intuitive, and incredibly efficient for developers. Recently, Model Context Protocol (MCP) has been growing at a rapid pace and has enabled AI agents to communicate with external tools, resources, or remote services on behalf of users.

Auth0 MCP Server lets developers interface with Auth0 using natural language instead of complex APIs or dashboard navigation, dramatically simplifying tenant management workflows. For instance, developers could simply ask Claude to create a new Auth0 app, deploy a new Action, or perform any other supported management operation.

__This initial release includes:__
- __Support for 20+ Auth0 Management operations:__ Create and manage applications, APIs, Actions, Logs, and Forms through simple, natural language conversations.
- __Secure Authentication:__ Grant tenant access to your MCP clients via a secure auth flow with built-in support for scopes and session management.
- __Multi-Step Management Workflows:__ Perform complex operations like "create an application with specific permissions and deploy a security Action" in a single conversation.
- __Seamless Integrations:__ Native support for Claude Desktop, Windsurf, Cursor, and many other MCP clients.

Get started with a simple command: `npx @auth0/auth0-mcp-server init`

Learn more about the Auth0 MCP Server: [https://github.com/auth0/auth0-mcp-server/](https://github.com/auth0/auth0-mcp-server/ "https://github.com/auth0/auth0-mcp-server/")

[Auth0 Support Center](https://support.auth0.com/) Search now provides generative answers to search queries on Support Center. As part of this change, the answers/solutions in Support Center contain results from "Knowledge Articles" which are Auth0-created solutions to specific issues to help you troubleshoot better.

To try it out, navigate to: https://support.auth0.com/ and enter a query in the search box on the homepage. To filter results by the new Knowledge Articles, select "Knowledge" on the left-hand side.

We’re excited to announce the __Developer Preview__ of __Auth for GenAI__, a new offering purpose-built for AI-native, agent-based applications.

__Auth for GenAI__ helps developers securely integrate authentication, API access, and fine-grained authorization into GenAI-powered apps using industry standards all wrapped in developer-friendly SDKs.

This initial release includes:
- __User Authentication__ via Universal Login (social, enterprise, passkeys, and more) with account linking
- __Token Vault__ enabling AI agents to call APIs (Google, GitHub, Slack, etc.) on user's behalf
- __Asynchronous Authorization__ to enable autonomous AI agents to asynchronously ask users for out-of-band authorization on sensitive actions via push notifications
- __Authorization for RAG__ with resource-level access control powered by Auth0 FGA
- SDK support for Next.js, Node.js, FastAPI, and popular AI frameworks like LangChain, Vercel AI SDK, and LlamaIndex
- Sample apps, quickstarts, and ready-to-use templates

Explore the Developer Preview at: [https://auth0.com/ai](https://auth0.com/ai)

Join the discussion at our community: [https://community.auth0.com/c/auth-gen-ai](https://community.auth0.com/c/auth-gen-ai)

We’re excited to introduce __Tenant Access Control List (ACL)__, a powerful new security feature that allows you to control who can access your tenant.

With the __Tenant ACL__, you can define custom rules to __allow, block, or redirect requests__ based on predefined signals, helping you secure and optimize your environment with precision.

__Benefits__

✔ __Reduce Attack Surface__ – Block malicious traffic before it reaches your tenant.

✔ __Enhance Security__ – Enforce custom access policies based on IPs, geolocation, user agents, and more.  

✔ __Optimize Performance__ – Redirect traffic efficiently to improve user experience.  

__Early Access Availability:__

__Current Early Access:__ Available to all __Enterprise customers with the__ __Attack Protection add-on__ with the ability to create up to __10 access control list__.

__Upcoming Limited Early Access:__ Rolling out to __all Enterprise customers__ in __Q2 2025__ with the ability to create up to one __access control list__.

Please view our online documentation [here](https://auth0.com/docs/secure/tenant-access-control-list) for additional details and to learn how to enable **Tenant Access Control Lists**.  


We’re excited to announce that the __Mobile Driver’s License Verification Service__ is now in __Limited Early Access__. 

Auth0’s Mobile Driver’s License (mDL) Verification Service enables customers to enrich user profiles with trusted information during signup and login flows as well as perform ad-hoc verification and validation checks. Additionally, utilizing a digital credential can streamline processes for businesses and financial institutions while allowing end-users more control over their information.

With this feature, customers can perform ad-hoc mDL verification requests or integrate them into their existing authorization flows with our Forms widget. This Early Access release only supports the [ISO/IEC TS 18013-7:2024](https://www.iso.org/standard/82772.html) standard and the REST API, also known as Web API, protocol.

To enable the Limited Early Access release in your Auth0 tenant, please review the available [documentation](https://auth0.com/docs/secure/mdl-verification) and if interested, please fill out [this](https://docs.google.com/forms/d/e/1FAIpQLScEZSizEo6prfnxg_8YvU3Pv0s6rwryEpjEZt_9X3vplQhXVQ/viewform) form to request access. We are limiting the number of customers for whom this will be enabled and will reach out to you with more details. If you have any feedback, give us a shout in our [community channel](https://community.auth0.com/)!

We’ve added Domain Verification to the Self-Service SSO workflow — making it easier and more secure for your customers to manage their SSO setup.

__Simpified & Secure__

Your customers can now verify domains directly within the Self-Service SSO wizard, reducing manual steps and ensuring only trusted domains are used for Home Realm Discovery (HRD). This strengthens security and eliminates the need for external verification workflows.

__Flexible Configuration Options__

As a tenant admin, you have control over how domain verification is enforced when creating Self-Service SSO tickets:

- Off – Domain verification is hidden from the wizard
- Optional – Customers can choose to skip verification and still enable connections
- Required – A domain must be verified before enabling the connection

This gives you the flexibility to balance user experience and security based on your customers' needs.

![SS-SSO - Domain Verification](//images.ctfassets.net/kbkgmx9upatd/7ohB4piUd4mBs5P84ZfmPj/d2f8c2731e70ce06c884346fd9293d49/SS-DoVe.gif)

Learn more about Self-Service SSO in the [product documentation](https://auth0.com/docs/authenticate/enterprise-connections/self-service-SSO).

By using Self-Service SSO Domain Verification, you agree to the applicable Free Trial terms in  Okta’s Master Subscription Agreement and [Okta’s Privacy Policy](https://www.okta.com/privacy-policy/) during use of the Early Access feature. The Free Trial terms can be found within the Master Subscription Agreement at [https://www.okta.com/agreements](https://www.okta.com/agreements).


Auth0 is excited to announce new enhancements to the Self-Service SSO experience:

__Self-Service SSO Ticket Creation in the Dashboard__

Tenant admins can now generate SSO tickets directly from the Manage Dashboard, removing the need for API access. This update simplifies the process for all teams and makes it easier to experiment, configure, and roll out federated SSO integrations.

__Enhanced SAML Configuration Options__

Tenant admins can now configure whether IdP-Initiated SSO is allowed at the time of ticket creation. Additionally, in the wizard, IT admins have the option to choose whether authentication requests should be signed, offering more flexibility and control to meet varying security and compliance needs.

![SS-SSO Ticket Creation](//images.ctfassets.net/kbkgmx9upatd/6rDbZaEUdVhIFOVOVQ2Nfo/a928026562badbe95eec425d11835bc4/Ticket_UI.gif)

These updates enhance accessibility, security, and ease of use. Learn more about Self-Service SSO in the [product documentation](https://auth0.com/docs/authenticate/enterprise-connections/self-service-SSO).

We are excited to announce that we are expanding our US public cloud offering with a brand new environment! prod-us-5 is a testament to our growth and provides a big capacity boost to onboard new Auth0 Public Cloud customers.

This new public cloud environment supports all the standard Auth0 Authentication and Management capabilities in a highly secure, resilient, and scalable deployment infrastructure. 

All US Public Cloud customers who are using [IP allow list](https://auth0.com/docs/secure/security-guidance/data-security/allowlist "IP Allowlist") to permit outbound traffic from Auth0 are advised to update their firewall rules with the [latest info](https://auth0.com/docs/secure/security-guidance/data-security/allowlist#united-states "Latest US IP Allowlist") at their earliest convenience.

We’ve updated our bot detection model to improve accuracy and keep up with evolving traffic patterns.

- __Improved detection__: The new model is more effective at identifying and stopping bot activity.

- __More computationally efficient__: Updated architecture enables more efficient decision-making.

- __Trained on fresh data__: Reflects the latest trends in traffic to better spot malicious behavior.

This enhanced security capability is now available to all Enterprise customers with the __Attack Protection__ add-on. The rollout is currently underway and will be completed in the coming weeks, aligned with individual customer release schedules.

For details on activation or to learn more, please refer to our [documentation](https://auth0.com/docs/secure/attack-protection/bot-detection) or reach out to your account team. We are here to support you in protecting your systems against evolving threats.

We are excited to announce the next Early Access release of Advanced Customizations for Universal Login! This release adds support for building custom versions of Universal Login’s Organizations screens, the MFA TOTP screens, and the matching Reset Password Challenge factors all using the new ACUL SDK.

Advanced Customizations for Universal Login enables you to build custom, client-rendered interfaces for Universal Login screens, allowing you to control every pixel of your Universal Login experience. This release allows you to building custom versions of the following screens:
* Accept Invitation
* Organization Selection
* Organization Picker
* MFA OTP Enrollment QR
* MFA OTP Enrollment Code
* MFA OTP Challenge
* Reset Password MFA OTP Challenge
* Reset Password MFA Email Challenge
* Reset Password MFA Push Challenge Push
* Reset Password MFA SMS Challenge

**DX Updates**

The latest versions of the ACUL SDK and our CDT tooling all include support for these new screens. 
* [Typescript SDK](https://github.com/auth0/universal-login/releases/tag/auth0-acul-js%400.1.0-beta.3) (includes a breaking change, see the [changelog](https://github.com/auth0/universal-login/blob/auth0-acul-js%400.1.0-beta.3/packages/auth0-acul-js/CHANGELOG.md#auth0-acul-js010-beta3-2024-03-28) for migration steps)
* [Auth0 CLI](https://github.com/auth0/auth0-cli/releases/tag/v1.10.1)
* [Deploy CLI](https://github.com/auth0/auth0-deploy-cli/releases/tag/v8.7.1)
* [Terraform Provider Auth0](https://github.com/auth0/terraform-provider-auth0/releases/tag/v1.15.0)

We are well on our way to adding support for everything that Universal Login currently supports out of the box. Checkout our [online documentation](https://auth0.com/docs/customize/login-pages/advanced-customizations) to learn more about ACUL and stay tuned to the Auth0 Changelog for updates and announcements!

The Auth0 Dashboard allows customers to reset the code for a Custom Provider when they click the Reset button. Previously, this experience was different across Custom Email and Phone Provider in both the behavior of the button and the text displayed throughout the reset process. This behavior has been fixed, and now the reset functionality is consistent across both features. 

Auth0 Customers have historically struggled to easily discover changes to the User Lifecycle (user create, updated or deleted), by relying on suboptimal solutions such as Actions or Logs.

Event Streams changes this: customers can now subscribe to [events](https://auth0.com/docs/deploy-monitor/events/event-types#user-event-types) that trigger each time there is a change in the User Lifecycle, regardless of the connection the customer was created, and route those events to either a [Webhook](https://auth0.com/docs/deploy-monitor/events/create-an-event-stream#webhooks) or [AWS EventBridge](https://auth0.com/docs/deploy-monitor/events/create-an-event-stream#aws-eventbridge).

Auth0 is now accepting Beta Testers to this new feature.  See the [Auth0 Docs](https://auth0.com/docs/deploy-monitor/events) for further instructions.

This feature gives developers better observability regarding Actions execution errors both at the Auth0 Dashboard and external Log Stream Platforms. 

Here's a summary of the key points:

- __Execution Error Handling:__ The feature captures the unhandled Actions execution errors and facilitates them as Tenant logs.
- __Event Log Type:__  There is a [new Event Log Type](https://auth0.com/docs/deploy-monitor/logs/log-event-type-codes "actions_execution_failed") regarding Actions execution errors that can be visualized at the Dashboard > Monitoring > Logs.
- __Log Streams:__ The new event log type is also sent through Log Streams.
- __Log Stream Filter:__ There is a [new Log Stream Filter](https://auth0.com/docs/customize/log-streams/event-filters#actions-event-filters "Action Execution - Failure") focused on Actions execution errors.

We’ve added a new language option-Japanese-to help our users in Japan and beyond build secure identity solutions more easily. If your language preference is set to Japanese in your browser settings, Auth0 will detect this and automatically serve the Dashboard and Documentation in Japanese. You can manually override this setting in the Auth0 Dashboard and Docs via the language switcher in the top-right corner.

Integrating Auth0 Guardian into your iOS projects is now easier than ever with Swift Package Manager (SPM) support! With this update, you can seamlessly add Guardian authentication directly in Xcode—no manual setup required.

 **Credential Guard** is now supported for Private Cloud on Azure customers! 

 This enhancement brings:  

- 🔍 **Proactive Threat Hunting** – A dedicated security team infiltrates criminal communities and gains access to breach data that isn’t otherwise available–enabling detection of compromised passwords within 12–36 hours instead of the traditional months
- ⏱ **Faster Detection** – Detects breaches 250% faster than standard automated solutions 
- 🌍 **Expanded Coverage** – Automates breached password detection coverage in over **200+ countries and territories**, ensuring that users worldwide receive consistent, localized protection.  

For additional details and to learn how to enable **Credential Guard**, please view our online documentation [here](https://auth0.com/docs/secure/attack-protection/breached-password-detection#detect-breaches-faster-with-credential-guard).  

We’re excited to announce that __Custom Phone Providers and the Unified Phone Experience__ are now Generally Available.

__Custom Phone Providers__: With this feature, customers can configure custom phone providers and customize phone messages not only when leveraging phone number as an identifier, but also when using MFA and Passwordless! Auth0’s CI/CD tooling (Auth0 CLI, Deploy CLI, and Terraform Provider) now fully supports Custom Phone Providers. To access these new capabilities, upgrade to the latest versions of Auth0 CLI, Deploy CLI, and Terraform Provider.

We encourage you to get started with Custom Phone Providers today by checking out our [documentation](https://auth0.com/docs/customize/phone-messages/configure-phone-messaging-providers/configure-a-custom-phone-provider) and if you have any feedback, give us a shout in our [community channel](https://community.auth0.com/)!

__Unified Phone Experience__: The Unified Phone Experience offers a consolidated experience where you can configure a tenant-level phone provider that will be used for Phone as ID, MFA, and Passwordless flows. Additionally, the management of phone templates will be centralized on a single page. This unification aims to reduce redundancy across Auth0 features and present a more streamlined user experience. The unified experience will be the default for any new tenants created after this release, and existing tenants will have the ability to revert to the legacy experience if desired.

We encourage you to try out the new Unified Phone Experience and provide feedback and questions to us through our [community channel](https://community.auth0.com/). Information on how to migrate to the new experience can be found [here](https://auth0.com/docs/customize/phone-messages/unified-phone).

We're improving both account security and user experience by extending **Breached Password Detection** to the **password reset flow**.  

#### 🔹 What’s New?  
Previously, users could unknowingly reset their passwords to compromised credentials, creating security risks and potentially requiring another reset. 

With this update, you can now prevent users from setting their password to a known breached credential during the reset flow -just like during sign-up and login.  

Additionally, with this rollout we have also **increased coverage** of Breached Password Detection on Sign-Up to cover the **Management API**!

#### 🚀 Benefits  

**Stronger security** – Protects against compromised credentials at every stage.

 **Better user experience** – Avoids unnecessary password resets by blocking breached passwords upfront.  

This update helps prevent your users from using known compromised credentials throughout their password lifecycle, giving your users stronger security on their accounts.   

For additional details and to learn how to enable **Breach Password Detection on Password Reset Flows**, please view our online documentation [here](https://auth0.com/docs/secure/attack-protection/breached-password-detection).  


This feature allows developers to ensure their custom database scripts are compatible with specific Node.js runtime versions. 

Here's a summary of the key points:

- __Bulk Testing Compatibility:__ The feature can test the compatibility of custom database scripts with different supported Node.js runtime versions.
- __Database Connections Limit:__ It is available if your tenant has 1 to 10 database connections with custom database scripts enabled.
- __Navigation Path:__ The feature can be accessed by going to Tenant Settings → Advanced → Extensibility → Verify Custom DB Scripts.

__Actions Based on Results:__ After testing, the results can be verified and corrective actions can be taken if any compatibility issues are identified.

Checkout our online documentation to learn more about [Extensibility Tenant Settings](https://auth0.com/docs/get-started/tenant-settings#extensibility "Extensibility Tenant Settings")!


We are excited to announce the next Early Access release of Advanced Customizations for Universal Login! This release adds support for building custom versions of Universal Login’s MFA enrollment screens and 3 of our most common MFA factors using the new ACUL SDK. 

Advanced Customizations for Universal Login enables you to build custom, client-rendered interfaces for Universal Login screens, allowing you to control every pixel of your Universal Login experience. This release allows you to building custom versions of the following screens:

* MFA Detect Browser Capabilities
* MFA Begin Enroll Options
* MFA Enroll Result
* MFA Login-options
* MFA Email List
* MFA Email Challenge
* MFA Country Codes
* MFA SMS Enrollment
* MFA SMS List
* MFA SMS Challenge
* MFA Push Welcome
* MFA Push Enrollment QR
* MFA Push List
* MFA Push Challenge Push

We are well on our way to adding support for everything that Universal Login currently supports out of the box. Checkout our [online documentation](https://auth0.com/docs/customize/login-pages/advanced-customizations) to learn more about ACUL and stay tuned to the Auth0 Changelog for updates and announcements!

We have deprecated the Node.js 12 and 16 extensibility runtimes in all environments and recommend using the Node.js 22 runtime for your extensibility integrations (such as Actions, Rules, Hooks, Custom Database Connections, and Custom Social Connections).

We have provided additional information and timelines for removing the deprecated runtimes through a dashboard and support center notification.

We have deprecated the invalidation of user sessions when performing database connection user update (PATCH - `/api/v2/users/{id}`) requests where:
* The `email` or `email_verified` attributes are set to an unchanged value;
* The `email_verified` attribute is set to a `true` value.

These changes allow for consistent behavior between setting an email as verified through the Management API and the built-in email verification flows provided by the service. In addition, it improves the overall end-user experience by avoiding session invalidation in situations that do not require it, such as setting either the `email` or `email_verified` attributes to unchanged values.

The dashboard will be updated with a migration toggle to opt out of the deprecated behavior ahead of its future end-of-life; we have provided additional information and timelines for enforcing this change through a [dashboard and support center notification](https://manage.auth0.com/#/notifications/67ab8c121f5c740896fcfd19).


We are excited to introduce the Usage Metrics Dashboard in Okta Fine-Grained Authorization (FGA), providing customers with deeper visibility into their authorization usage. This new dashboard, available under the “Manage Account” section of the Okta FGA dashboard, helps teams monitor, analyze and manage their FGA consumption efficiently.

What’s New? 
## 
- __Monitor Key Metrics__: Track Monthly Active Users (MAUs), Total Tuple Count, and Monthly Average Requests Per Second (RPS).
Time Frame Selection: View trends over the Last Month or Last 3 Months, with the current month’s data always included for the latest insights.

- __Granular Data Views__: Click on “View Table” option to see a detailed breakdown of usage by store and time period.
- __Hourly Updates__: Data is refreshed hourly to help you make informed decisions.

Learn More:
## 
Check out the [documentation](https://docs.fga.dev/intro/dashboard#usage-metrics-dashboard) for details on how to use the dashboard effectively.

End User TOTP enrollment for Native devices is now more intelligent! For end users enrolling into a TOTP factor on a mobile device, Auth0 skips the QR code and prompts for manual code entry with the QR code as a fall back option. Check out [Auth0 Temporary OTP](https://auth0.com/docs/secure/multi-factor-authentication/auth0-guardian#temporary-one-time-passwords) for more detail! 

__Email OTP Verification__ is now __Generally Available (GA)__, minor improvements will continue to roll out over the next __1-4 weeks__ to enhance performance and usability.

With __Email OTP Verification__, users are required to enter a One-Time Password (OTP) sent to their email during the signup or password reset process. This ensures email verification happens __before__ account creation or password reset is completed, offering enhanced security and reducing the chances of mistyped or fake email accounts.

__Key Highlights:__

- __Synchronous Email Verification:__ Prevents account creation or password reset until users verify their email via OTP.
- __Improved Security:__ Helps prevent fake accounts, ensures accurate email addresses, and discourages phishing through email links.
- __Applicability:__ Available for both email verification during signup and password reset challenges.

__Prerequisites:__

- Must be using __Universal Login__.
- Connection must have __Flexible Identifiers__ enabled.
- Email OTP is only compatible when using the __Identifier First Authentication Profile__.

To enable this feature, navigate to the __Attributes__ tab on any connection and change the __Verification Method__ under the __Email__ attribute settings from __Verification Link__ to __OTP__.

At Auth0, we understand that no two customer identity stories are the same.  Every company has a brand identity, a secret sauce, and a unique aesthetic vision. Today, we are very excited to introduce the next evolution in customization for Universal Login, **Advanced Customizations for Universal Login** (ACUL). ACUL enables your team to build custom, client-rendered versions of each Universal Login screen, allowing you to control every pixel of the Universal Login experience. 

![ACUL EA Changelog Banner](//images.ctfassets.net/kbkgmx9upatd/4V3J8NkWmXn3N2QEVAziPS/b5f9c49522471014ed26205bbf411c8b/ACUL-Changelog.jpg)

This Early Access release of ACUL is available to all paid customers. Public cloud customers can start using it today! Those on private cloud will be enabled as part of their regular release cycle. This initial EA release provides a new configuration API, CDT and SDK support, and allows you to build custom versions of the following screens:
* Login
* Login Id
* Login Password
* Login Passwordless Email Code
* Login Passwordless SMS OTP
* Signup
* Signup Id
* Signup Password
* Passkey Enrollment
* Passkey Enrollment Local
* Phone Identifier Enrollment *(used for identity verification during Signup)*
* Phone Identifier Challenge *(used for identity verification during Signup)*
* Email Identifier Challenge *(used for identity verification during Signup)*
* Interstitial Captcha
* Reset Password
* Reset Password Email
* Reset Password Request
* Reset Password Error
* Reset Password Success

The following flows and capabilities are supported in ACUL EA:

* Single step Signup & Login with password and social & enterprise connections
* [ID First Signup/Login](https://auth0.com/docs/authenticate/login/auth0-universal-login/identifier-first) using password, passwordless email/SMS OTP, passkeys, and social & enterprise connections
* Basic Reset Password flow with and without Bot Detection
* [Flexible Identifiers](https://auth0.com/docs/authenticate/database-connections/activate-and-configure-attributes-for-flexible-identifiers) with and without identity verification enabled during Signup
* [Bot detection](https://auth0.com/docs/secure/attack-protection/bot-detection) with any of our 7 supported Captcha providers during the Signup, Login, and Reset Password flows
* Capturing additional data during Signup and Login using [custom prompts](https://auth0.com/docs/customize/login-pages/universal-login/customize-signup-and-login-prompts)

This is just the beginning! In the coming months, we will be adding support for every screen and capability that Universal Login currently supports out of the box, a shiny new Dashboard UI for configuring ACUL, and lots more DX goodness!

Checkout our [online documentation](https://auth0.com/docs/customize/login-pages/advanced-customizations) to learn more about ACUL and stay tuned to the [Auth0 Changelog](https://auth0.com/changelog) for updates and announcements!

We are thrilled to announce the Early Access release of Custom Token Exchange. __Enterprise customers__ can now request access to use this feature.

Token Exchange is an OAuth grant-type that enables the exchange of security tokens for other security tokens, typically access_tokens. Custom Token Exchange provides a flexible __solution using Actions that allows customers to provide their custom logic to control the exchange__ - i.e. effectively providing the means to implement custom authentication semantics using Actions.

![Custom_Token_Exchange_EA_Action](https://cdn.auth0.com/blog/Custom_Token_Exchange_EA_Changelog.png)

This __added flexibility__ can be used by customers to tackle __advanced integration use cases__, such as:
- Seamlessly migrating users to Auth0
- Integrating external IDPs
- Exchanging Auth0 tokens for a different audience
- ... and other use cases where regular federation and/or OIDC flows are not an option

To learn more, read our [documentation](https://auth0.com/docs/custom-token-exchange-early-access).

Reach out to you Auth0 contact to request access!

Auth0 is delighted to introduce __Hyderabad__ as the latest AWS region for Private Cloud deployments.

Hyderabad follows Mumbai as the __second AWS region for Auth0 Private Cloud available in India!__ This new addition unlocks reduced latency and increased flexibility for Auth0 deployments on AWS. We stand committed to meeting our customers’ data residency and resiliency needs in an ever expanding global market.

We are excited to introduce the Per-Module Authorization feature. This enables large organizations to securely share authorization models by specifying which application credentials can update data for specific modules.

Teams that are responsible for their own separate services can now limit access to modification of authorization data on a per-module basis. Last year, we released [Modular Models](https://docs.fga.dev/modeling/modular-models), where a single model could be separated into modules across multiple files, allowing teams to use features in their source code management platforms (such as GitHub’s [CODEOWNERS](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners) feature) to enforce access on who can modify parts of a model.

Per-Module Authorization builds on top of that work to further define permissions for applications. Workflows can be implemented where different teams maintain their portion of an FGA model independently and also ensure that the services and applications owned by the respective teams can only modify their own authorization data.

For more details, refer to Okta FGA’s [documentation](https://docs.fga.dev/intro/dashboard#grant-authorized-clients-access-to-write-specific-modules) on how to grant client credentials access to only specific modules.


We’re thrilled to announce that Auth0 now supports Universal Logout integration with Okta Workforce Identity Cloud!

Okta Universal Logout is based on the [Global Token Revocation](https://www.ietf.org/archive/id/draft-parecki-oauth-global-token-revocation-04.html) specification and allows security incident management tools [Okta Identity Threat Protection](https://www.okta.com/products/identity-threat-protection/) to send back-channel requests to revoke users' sessions and refresh tokens when they identify a change in risk.

With this feature, Auth0 customers federating with Okta Workforce Identity using the [Okta](https://auth0.com/docs/authenticate/identity-providers/enterprise-identity-providers/okta), [SAML](https://auth0.com/docs/authenticate/identity-providers/enterprise-identity-providers/saml), or [OpenID Connect](https://auth0.com/docs/authenticate/identity-providers/enterprise-identity-providers/oidc) connection types no longer need to build a global token revocation endpoint. Instead, with minimal configuration required, they can provide the Okta admin with Auth0’s connection-specific endpoint URL.

This integration provides security benefits for apps that depend on refresh tokens and Auth0 sessions, as both are revoked when Auth0 receives a Universal Logout request for a user. This integration can also trigger Auth0's OIDC back-channel logout feature to terminate custom application sessions.

To learn more about Universal Logout support in Auth0, click [here](https://auth0.com/docs/authenticate/login/logout/universal-logout).

This feature will be rolled out to all public cloud environments over the next few days and to private cloud environments as per their release pipeline.


Customers now have Enhanced Rate Limit Reporting via Logs, including:
- Increased Rate Limit Log (api_limit) Publishing Frequency:  receive 1X per minute notifications indicating when you have exhausted a rate limit.
- New Rate Limit Warning Log (api_limit_warning):  receive 1X per minutes notifiactions indicating when you have exhuasted 80% of your rate limit request token allocation.
- Enhanced Logs Schema:  additional attributes of HTTP path and method and bucket size will be included to allow for easier mapping between Logs and API Rate Limit Configuration Docs.  https://auth0.com/docs/troubleshoot/customer-support/operational-policies/rate-limit-policy/rate-limit-configurations

We are excited to announce the next major version of Next.js SDK. With the introduction of [nextjs-auth0 v4](https://github.com/auth0/nextjs-auth0), we now support Next.js 15 and React 19, allowing developers to leverage the latest features and improvements in both frameworks. 
This compatibility not only enhances the development experience but also ensures that applications can take full advantage of performance optimizations. This updated SDK features a simplified architecture and is edge-compatible by default, enhancing performance and flexibility for developers. 

What’s new: 
- __Middleware-Based Authentication:__ Improved compatibility and reduced maintenance by moving to middleware-based handlers.
- __Enhanced Security:__ Switched to encrypted cookies and removed outdated cookie logic.
- __Resolved State Mismatch Issues:__ Fixed long-standing issues reported by the community.
- __Improved Session Management:__ Implemented rolling sessions and eliminated cookie chunking.
- __Improved Hooks and Helpers:__ Introduced useUser(), getAccessToken(), and getSession() for easier data fetching and session handling.
- __Stateful Sessions with Custom Databases:__ Support for "Bring Your Own Database" (BYODB).
- Compatibility with __Next.js 15__, __Turbopack__, and __React 19__
- __Simplified architecture__, API, and configuration options

Learn More:
- [Quickstart](https://auth0.com/docs/quickstart/webapp/nextjs/interactive)
- [Migration Guide](https://github.com/auth0/nextjs-auth0/blob/v4/V4_MIGRATION_GUIDE.md)

__What’s Changing:__
We are improving the Dashboard configuration experience for email providers. The default From address field will be required when creating or updating email provider configuration through the Dashboard. Customers do not need to take immediate action, and the Management API will maintain the field as optional for backward compatibility.

__Key Dashboard Updates:__

1. __Configuring New Email Providers__: Customers must supply a default From address when configuring a new email provider.
2. __Changing Existing Email Providers__: Customers must supply a default From address when updating an existing email provider. Existing configured email providers that do not have a From address configured will continue to work as before.

__Why This Matters__: An email provider configured without a default From address may lead to a poor user experience because email template customizations are not supported when a customer-defined From address is unavailable. By requiring a default From address at the email provider level, email template customizations will be respected even if the email template does not have a template-specific From address.

__Rollout Timing__: We plan to roll out this change in the coming days. After the rollout, customers can expect to see the enforcement of this required field on the Dashboard.

We’re excited to announce that __Custom Email Providers__ is now __Generally Available__.

With this feature, customers can configure custom email providers and customize emails so they can have full control of the email delivery process. This feature utilizes the Actions framework and leverages the Actions Code Editor so you can more completely manage, monitor, and troubleshoot your email communications. Auth0’s CI/CD tooling (Auth0 CLI, Deploy CLI, and Terraform Provider) now fully supports Custom Email Providers. To access these new capabilities, upgrade to the latest versions of Auth0 CLI, Deploy CLI, and Terraform Provider.

We encourage you to get started with Custom Email Providers today by checking out our [documentation](https://auth0.com/docs/customize/email/configure-a-custom-email-provider) and if you have any feedback, give us a shout in our [community channel](https://community.auth0.com/)!

This Beta feature logs in real-time output form your custom Actions code. This includes all console.log output and exceptions.

For example, a custom Action code such as below:

    console.log("Hello world!");

Will show up within Dashboard > Monitoring > Actions Logs as

![Actions Real Time logs](//images.ctfassets.net/kbkgmx9upatd/6v7b2XDiOVFXJa1haVksyR/96d19473a46441c432e6997d5594a06f/Screenshot_2025-01-20_at_5.19.02_PM.png)

You can also use examples such as below to catch and log errors for making it easy to debug and troubleshoot your Actions.

    try {
      nonExistentFunction();
    } catch (error) {
      console.error(error);
      // Expected output: ReferenceError: nonExistentFunction is not defined
      // (Note: the exact output may be browser-dependent)
    }

These logs are not stored and are only available within the dashboard when you are logged in and are on the Dashboard > Monitoring > Actions Logs tab within the browser. These logs are designed to help you troubleshoot as you write or modify your custom Actions code.

Node.js 22 is now generally available (GA) as a runtime for your extensibility integrations (such as Actions, Rules, Hooks, Custom Database Connections etc).

New Actions created will now default to Node 22 as the runtime. As part of this release, we have also split runtime selection for Legacy Extensibility (for Rules & Hooks) separate from the general Extensibility (for Custom Database Scripts & Custom Social Connections). These setting are available within [Tenant > Settings > Advanced](https://manage.auth0.com/#/tenant/advanced) and allows you to individually manage desired runtime configuration as required.

![Extensibility Runtime](//images.ctfassets.net/kbkgmx9upatd/64aCyAYo4gSPYJmQ9pM3o0/c6952971e36570f1552b91283bb976c0/Screenshot_2025-01-10_at_12.32.07_PM.png)

Please [refer to our docs](https://auth0.com/docs/troubleshoot/product-lifecycle/deprecations-and-migrations/migrate-nodejs-22) for more details on how to migrate to Node 22.


We are delighted to announce that support for the Client-Initiated Backchannel Authentication (CIBA) flow is now available in Early Access. 

The CIBA flow works as a *decoupled authentication flow* across two different devices: 
- Consumption device: initiates the authentication request.
- Authentication device: handles end-user authentication, implemented as a custom mobile app which embeds the Guardian mobile SDK.

The CIBA flow supports a number of powerful use cases driven by backend client applications, such as: 

- Customer authentication by headless devices or devices with limited interaction capabilities. 
- Customer authentication in call centre scenarios.
- Authorising sensitive operations on behalf of yourself or a third-party e.g. a customer service agent.  

To evaluate CIBA for securing your sensitive customer interactions, contact your Technical Account Manager. For more details, check out our [product documentation](https://auth0.com/docs/get-started/authentication-and-authorization-flow/client-initiated-backchannel-authentication-flow).

We’ve added the **Organization ID** to the [Auth0 Tenant Logs](https://auth0.com/docs/deploy-monitor/logs/log-event-type-codes) for the **Successfully revoked a refresh token (srrt)** event. This enhancement allows you to correlate the organization associated with the revoked refresh token for improved tracking and auditing.


We have increased the max secret value length from 2048 to 4096 to allow for larger secrets to be stored within Actions.

![Actions Secrets](//images.ctfassets.net/kbkgmx9upatd/52TGNtKI3IvOndGaRrRZeE/8798f00f8f923d287cfcadd854e6f632/Screenshot_2024-12-20_at_12.09.07_PM.png)

You can [refer to our docs](https://auth0.com/docs/customize/actions/limitations) for further details on Actions limitations.

We're excited to introduce the new 10,000 RPS (100x) tier for Auth0 Private Cloud Performance offering on AWS. This enhanced tier supports a higher volume of authentication requests, complementing the existing 30x and 60x tiers for customers who need high performance thresholds.

Please see [Private Cloud documentation](https://auth0.com/docs/deploy-monitor/deploy-private-cloud/private-cloud-on-aws) to learn more.

Auth0 is pleased to announce the Early Access (EA) of enhanced support for customer data recovery. This resilience feature is available to a set of Private cloud customers during EA. It would come handy in the event of customer data loss or data corruption, and would assist customers in meeting regulatory requirements such as European Union’s Digital Operational Resilience Act (DORA).

Customer will be able to request restoration of their production Private Cloud space from a backup within the past 14 days. Please refer to [Operational policies](https://auth0.com/docs/troubleshoot/customer-support/operational-policies) documentation for details.

Introducing a new capability within the Security Center Dashboard offering - __Security Center Alerts for Thresholds__ Early Access. This new feature expands on the Security Center metrics and Thresholds to allow Enterprise customers to not only monitor their tenant security but also receive notifications when a threat metric exceeds their predefined thresholds. 
Customers can now configure __webhook alert notifications__ on security threat metrics and monitor when threats exceed the acceptable value.  

To learn more Alerts for Thresholds, click [here](https://auth0.com/docs/secure/security-center/security-alerts)

The new Bot Detection ML model designed to detect signup attacks is now available for Classic Login and Custom Login implementations. 

For customers using Classic or Custom login experiences, this enhancement leverages advanced machine learning to identify and block automated signup attacks effectively.

For those using New Universal Login, no configuration changes are required. This feature was rolled out for New Universal Login in September, as highlighted in the changelog [here](https://auth0.com/changelog#7o1YXe52Gl7jEYENzFikEn).

Below is the demo showcasing how to enable this feature in Auth0 for Classic and Custom Login experiences.

![](https://cdn.auth0.com/blog/bot_detection_signup_classic.gif)

This enhanced security capability is now available to all Enterprise customers with the Attack Protection add-on. The rollout is underway and will be completed in the coming weeks, aligned with individual customer release schedules.

For details on activation or to learn more, visit our [documentation](https://auth0.com/docs/secure/attack-protection/bot-detection) or reach out to your account team. We’re here to support you in protecting your systems against evolving threats.

We’re excited to announce that all __Customizable Email Templates__ have been styled with a modern look and feel and are now __live__!

No verbiage or content has been changed on any of the emails and customers that have customized the email templates are unaffected.
![email-changelog (1)](//images.ctfassets.net/kbkgmx9upatd/yf5zzwtlmroz8fJnwLjJ8/86ee375e78af87f9f8396c3a761ce23e/email-changelog__1_.png)

Announcing General Availability of Auth0 Dashboard Login Session Management. A feature that allows Auth0 Dashboard admins to view and revoke active dashboard sessions for an added layer of security to the session idle timeout for both our Public and Private Cloud customers.
![Login Sessions GA](//images.ctfassets.net/kbkgmx9upatd/4tUA2Mrw5apASWkV0tie9X/decdfc0e939b6bb95b7a4a7d84824379/Login_Sessions.png)

Click [here](https://auth0.com/docs/get-started/dashboard-profile/auth0-dashboard-login-session-management) to learn more about Auth0 Dashboard Login Session Management.

Single Sign On (SSO) allows one set of credentials to access multiple resources through a centralized identity provider (IdP). Auth0 Teams security policies allows team owners to configure and implement authentication rules that adhere to their organization's IT security policies for access to infrastructure systems or applications.

Announcing in beta the ability for team owners to self-configure and connect their IdP to provide SSO for dashboard administrators.
![Teams SSO Add connection](//images.ctfassets.net/kbkgmx9upatd/3PuPyW9iDKrkP3SLUwLtoD/abba1c539a82e21f6c816181a7f5b7b5/Teams_SSO_Connection.png)

Auth0 Teams Self-Service SSO beta is currently limited to Public Cloud Enterprise customers.

Interested in the BETA? Reach out to your Technical Account Manager to enrol in our beta program.

We’re excited to announce that we’ve __increased the number of metadata slots for Organizations from 10 to 25__! This enhancement provides you with more flexibility to store and manage additional data within your organization, enabling a more customized and efficient approach to your workflows.

To learn more about Organizations, click [here](https://auth0.com/docs/manage-users/organizations).

We are delighted to announce that Customer Managed Keys is now generally available. This solution within the Highly Regulated Identity solution suite enables organizations to comply with cryptographic key-related security policies for data protection. Customer Managed Keys provides customers with two options for key management: Control Your Own Key and Bring Your Own Key. 

With Control Your Own Key, you can manage the lifecycle of the Tenant Master Key according to your security policy. Bring Your Own Key allows you to maintain ownership of the Root Key that protects the encryption key hierarchy. These features enable compliance with cryptographic key-related security policies for data protection.

![](https://cdn.auth0.com/blog/cmk_byok.gif)

You can read more about this in our [product documentation](https://auth0.com/docs/secure/highly-regulated-identity/customer-managed-keys).

We added a new API command available in the Password Reset / PostChallenge trigger.  This API allows Tenant Developers to specify the url to redirect a user to upon the completion of a password reset on Universal Login.  

Here is an example of using the command to redirect the user to a sample url after a successful password reset: 

      exports.onExecutePostChallenge = async (event, api) => {
        api.transaction.setResultUrl('https://yourapp.yourdomain.com/profile');
      };

You can learn more in our [reference documentation.](https://auth0.com/docs/customize/actions/explore-triggers/password-reset-triggers/post-challenge-trigger/post-challenge-api-object)

We’ve introduced a new Batch Check endpoint to the Okta FGA API, allowing clients to batch multiple authorization checks into a single request. This enhancement reduces the network latency associated with previously needing to performing multiple Check API requests in parallel, resulting in faster and more efficient requests for applications with high authorization demands.

For more details, refer to the [Okta FGA Batch Check documentation](https://docs.fga.dev/integration/perform-check#03-calling-batch-check-api).

We’re thrilled to announce that our fourth-generation Bot Detection has been upgraded to incorporate additional aggregated tenant-level insights. This upgrade strengthens bot detection across both public and private cloud environments, providing a more precise and robust defense against malicious activity while ensuring a seamless and secure experience for all users. 

This enhanced security capability is now available to all Enterprise customers with the Attack Protection add-on. The rollout is currently underway and will be completed in the coming weeks, aligned with individual customer release schedules. 

For details on activation or to learn more, please refer to our [documentation](https://auth0.com/docs/secure/attack-protection/bot-detection) or reach out to your account team. We are here to support you in protecting your systems against evolving threats.

Auth0 is excited to announce that __Self-Service SSO__ is now in __General Availability__.

Our Self-Service SSO feature is designed to simplify and streamline the administrative tasks that are essential for every B2B SaaS product. By equipping your business customers to configure their own Single Sign-On setups, we provide them with a seamless, intuitive experience—eliminating the need for complex IT involvement. This flexibility not only enhances security but also improves the overall user experience, giving businesses more control and agility while reducing overhead.

![Self-Service SSO](//images.ctfassets.net/kbkgmx9upatd/1EJbNDGVayUGTvQ6ZAzmn3/5d703e2229d46a7ae70e5ce440961ee3/Self-Service_SSO_GA.gif)

This feature is available for B2B Professional, Enterprise and Enterprise Premium customers.

[Click](https://auth0.com/docs/authenticate/enterprise-connections/self-service-SSO) here to learn more. 

Hello everyone,

We're thrilled to announce the beta release of nextjs-auth0 SDK v4! This new version brings significant improvements, new features, and fixes to enhance your development experience.

### Important Notice About v3
As we move forward, **we will not be updating v3 of the SDK to support Next.js 15**. This allows us to focus on v4, which offers a wealth of new features and improvements. This will also enable us to support future releases of Next.js faster and with more confidence. We understand this may pose challenges, and we're here to help.

v3 will continue to receive critical security updates for 6 months after the GA of v4.

### Highlights of v4 Beta
- Middleware-Based Authentication: Improved compatibility and reduced maintenance by moving to middleware-based handlers.
- Enhanced Security: Switched to encrypted cookies and removed outdated cookie logic.
- Resolved State Mismatch Issues: Fixed long-standing issues reported by the community.
- Improved Session Management: Implemented rolling sessions and eliminated cookie chunking.
- Improved Hooks and Helpers: Introduced useUser(), getAccessToken(), and getSession() for easier data fetching and session handling.
- Stateful Sessions with Custom Databases: Support for "Bring Your Own Database" (BYODB).
- Compatibility with Next.js 15, Turbopack, and React 19
- Simplified architecture, API, and configuration options

### Try It Out and Provide Feedback
We invite you to explore the beta release and share your feedback to help us improve before the general availability release. We are currently targeting a general availability release by the end of December.

**Beta Release:**[ v4.0.0-beta.3](https://github.com/auth0/nextjs-auth0/releases/tag/v4.0.0-beta.3)

### Need Help with Migration?
If you encounter challenges migrating to v4, please don't hesitate to[ open an issue](https://github.com/auth0/nextjs-auth0/issues) and our team will assist you. We're committed to making the transition as smooth as possible.

Thank You for Your Support 

We appreciate your understanding as we focus on making v4 the best it can be. Your feedback is invaluable, and we're here to support you every step of the way.

Happy coding! 🚀

— The Auth0 DX SDK Team

We have transitioned the Rules and Hooks features to a read-only mode in all public cloud environments as part of their [announced deprecation](https://auth0.com/docs/troubleshoot/product-lifecycle/deprecations-and-migrations#rules-and-hooks-deprecations) plan.

You can still disable, delete or re-enable an existing Rule or Hook. You can also add or remove Rules settings (for updating stored secrets) or Hook secrets but you will no longer be able to modify their script.

If this impacts you, our recommendation is to migrate to Actions. Refer to the following docs for more details:
- [Migrate Rules to Actions](https://auth0.com/docs/customize/actions/migrate/migrate-from-rules-to-actions)
- [Migrate Hooks to Actions](https://auth0.com/docs/customize/actions/migrate/migrate-from-hooks-to-actions) 


Auth0 is excited to announce the following updates to Self-Service SSO:

1. __Custom Introduction Text:__ You can now customize the welcome message on the wizard's landing screen, aligning the experience with your brand’s tone and engaging users right from the start.
2. __PingFederate Support:__ We've expanded our list of supported Identity Providers (IdPs) to include PingFederate, giving you more flexibility in your authentication options.
3. __Revoking SSO Access Tickets:__ Our [new API endpoint](https://auth0.com/docs/api/management/v2/self-service-profiles/post-revoke) lets you revoke SSO access tickets at any time.
4. __Updated Ticket Expiration:__ Access tickets are now consumed only when a connection is created, enabled or edited — like when updating SAML or OIDC details — avoiding issues with scanners opening them prematurely.
5. __Customized Login Experience:__ When creating a [ticket](https://auth0.com/docs/api/management/v2/self-service-profiles/post-sso-ticket), you can now define the login experience — adding optional parameters for Home Realm Discovery, Organization Auto-Membership, and more to tailor every step of the way.

To learn more, see the [Self-Service SSO documentation](https://auth0.com/docs/authenticate/enterprise-connections/self-service-SSO).

We are excited to announce that our fourth-generation Bot Detection has been upgraded with user-agent signals, and is now integrated into our proprietary machine learning model. This enhancement improves our capability to detect and thwart bot activity, further strengthening protection against malicious traffic without adding any additional friction for legitimate users.

This security feature is available to all Enterprise customers with the Attack Protection add-on. We are currently rolling out this enhancement and expect to complete the process within the next few weeks, aligned with your individual release schedules.

For activation details or further information, please check our [documentation](https://auth0.com/docs/secure/attack-protection/bot-detection) or reach out to your account team. We’re here to support you in safeguarding your systems against evolving threats.

Thank you for trusting us with your security needs.

Actions now supports the following APIs within the `post-login` trigger.

- `api.samlResponse.setRelayState(relayState)`
- `api.samlResponse.setIssuer(issuer)`

You can see all available API methods supported within the `post-login` trigger along with details on these methods [from this link](https://auth0.com/docs/customize/actions/explore-triggers/signup-and-login-triggers/login-trigger/post-login-api-object).


The possibility to __scope machine-to-machine access to a specific organization is now Generally Available__. This feature allows you to define the organizations that a given application can access for each API via the [Client Credentials Flow](https://auth0.com/docs/get-started/authentication-and-authorization-flow/client-credentials-flow). 

![M2M_for_Orgs_Image](https://cdn.auth0.com/blog/M2M_for_Orgs_changelog.png)

You can easily __define and enforce access to one, many, or all the organizations in your tenant and securely expand the reach of your SaaS APIs__ to more use cases and scenarios, making sure sensitive data and operations are only accessible to authorized parties. After configuring the access rights for your API, you simply have to inspect the `org_id` in access tokens of incoming requests, independently of whether they come from third-party applications or your own applications.

This feature is available for B2B Professional, Enterprise and Enterprise Premium customers.

To learn more, read the [reference documentation](https://auth0.com/docs/manage-users/organizations/organizations-for-m2m-applications).

Auth0 is delighted to launch __Private Performance Burst AWS - 30x (3000 RPS*) and 60x (6000 RPS)__ offerings for Private Cloud deployments on AWS.

These cost-effective Private Performance options scale the Authentication traffic up to 3000 RPS and 6000 RPS respectively for 80 hours a month, and allow usage up to 1500 RPS and 3000 RPS respectively for the remaining duration. 

The elevated transaction capacity comes handy for planned and unplanned traffic spikes, e.g. during product launches, large media events, seasonal activities, and unpredictable usage peaks. 

The Private Performance Burst offering is just another milestone in our commitment to providing the functionality and flexibility our beloved customers need. 

Please refer to [Private Performance Burst documentation page](https://auth0.com/docs/troubleshoot/customer-support/operational-policies/rate-limit-policy#private-performance-burst) for more information.

*RPS: Requests Per Second


The [Okta FGA](https://fga.dev) authorization modeling language allows defining conditions that can be used to express certain ABAC authorization policies. Previously, if you wanted to take advantage of that feature you needed to use the [Okta FGA API](https://docs.fga.dev/api/service) or the [FGA CLI](https://docs.fga.dev/getting-started/cli).

Now, with the [Okta Fine Grained Authorization Dashboard](https://dashboard.fga.dev "Okta FGA Dashboard"), you can create conditional relationship tuples and specify context parameters in assertions, making it easier to fully define ABAC-like conditions directly within the dashboard.

For more details, refer to the  [Okta FGA dashboard documentation](https://docs.fga.dev/intro/dashboard#conditions).


The Google Workspace Enterprise connection now supports an **Extended Group Attribute Format** option. When selected, group memberships are written to the Auth0 user profile as an array of JSON objects containing the group unique ID, group name, and group email address for each group retrieved from Google. 

For more information, see [Connect Your App to Google Workspace](https://auth0.com/docs/authenticate/identity-providers/enterprise-identity-providers/google-apps).

This feature is immediately available in the public cloud and will be rolled out to private cloud environments in the next few weeks as per the release pipeline.

Auth0 is excited to introduce the following updates to Self-Service SSO:

1. Tenant admins now have the ability to choose which IdPs to display when their customers are setting up an SSO profile through the set up wizard, making the entire process more efficient and customizable.  
2. We've added support for Keycloak expanding the available IdPs.
3. When no user attributes exist in the SSO profile, we skip the Claims Mapping instructions in the SSO wizard. 
4. When testing the connection, the JSON has been formatted to show on multiple lines. 

To learn more, see the [Self-Service SSO documentation](https://auth0.com/docs/authenticate/enterprise-connections/self-service-SSO).


In our continuing effort to improve our security posture, Auth0 will no longer retain closed support tickets older than 24 months. Closed support tickets older than 24 months will be deleted on October 16. To view your support tickets, you can navigate to [https://support.auth0.com/tickets](https://support.auth0.com/tickets) . For questions or issues on this change, please reach out to [Support](https://support.auth0.com/).

We’re excited to announce that __Custom Phone Providers__ in is now in __Early Access__.

With this feature, customers can configure custom phone providers and customize phone messages associated with using phone number as an identifier. Using a custom phone provider for MFA and passwordless phone messages is planned for a later release. 

This early access release enables you to:
- Configure your preferred phone provider for phone messages
- Leverage various contexts for using different providers, including organization, client, user, and more

We encourage you to get started with Custom Phone Providers today by checking out our [documentation](https://auth0.com/docs/customize/phone-messages/configure-phone-messaging-providers/configure-a-custom-phone-provider) and if you have any feedback, give us a shout in our [community channel](https://community.auth0.com/)!


Auth0 is delighted to introduce the __United Arab Emirates (UAE)__ as the latest __AWS region for Private Cloud__ deployments. 

We are committed to enhancing our presence in the Middle East. The UAE joins Bahrain as the second AWS region for Auth0 Private Cloud in this part of the world. This expansion opens up new possibilities in the UAE, where Private Cloud deployment is already supported on Azure.


Okta CIC is excited to announce that Universal Login now satisfies out of the box or provide configurability to satisfy the guidelines for the [EN 301 549](https://www.etsi.org/human-factors-accessibility/en-301-549-v3-the-harmonized-european-standard-for-ict-accessibility) standard. We have updated our VPAT to include this information and it is available on [Okta.com](https://www.okta.com/accessibility/). By ensuring that Universal Login is accessible to all users, we enable our customers to confidently secure their applications with accessible authentication. 

See our [online documentation](https://auth0.com/docs/authenticate/login/auth0-universal-login#accessibility) for more details. 

**What’s Changing:**

We are improving the user experience when adding or updating identifiers (email, phone number, or username) in profiles.

**Key Updates:**

1. **New Identifier**: When a new identifier type (email, phone, or username) is added to a user profile where one **does not already exist**, the user’s session **will not be terminated**. This allows for a smoother **progressive profiling** experience, where users can add new identifiers without disruption.  
2. **Changing Existing Identifier**: When an existing identifier is modified, the user’s session **will terminate**, and the user will have to re-authenticate. This ensures security best practices are followed when updating key account information.

**Why This Matters:** Previously, any update to an identifier (whether adding or changing it) would terminate the user’s session. This could lead to a poor experience, especially during progressive profiling, where users are expected to update or add information without being logged out. With this update, customers can offer a seamless experience for users adding new identifiers while maintaining strict security for changes to existing identifiers.

**Rollout Timing:** This change will be rolled out progressively over the next 1-4 weeks. Customers can expect to see the updated session handling behavior in their environments during this period.

**Action Required:** No immediate action is required from customers, but it is recommended to review any user flows that involve the addition or modification of identifiers to ensure they align with this change.

We have introduced __Email OTP Verification__ as a new method for email verification, available in Early Access. Expect to see the feature in your environments within the next 1-4 weeks.

With __Email OTP Verification__, users are required to enter a One-Time Password (OTP) sent to their email during the signup or password reset process. This ensures email verification happens __before__ account creation or password reset is completed, offering enhanced security and reducing the chances of mistyped or fake email accounts.

__Key Highlights:__

- __Synchronous Email Verification:__ Prevents account creation or password reset until users verify their email via OTP.
- __Improved Security:__ Helps prevent fake accounts, ensures accurate email addresses, and discourages phishing through email links.
- __Applicability:__ Available for both email verification during signup and password reset challenges.

__Prerequisites:__

- Must be using __Universal Login__.
- Connection must have __Flexible Identifiers__ enabled.
- Email OTP is only compatible when using the __Identifier First Authentication Profile__.

To enable this feature, navigate to the __Attributes__ tab on any connection and change the __Verification Method__ under the __Email__ attribute settings from __Verification Link__ to __OTP__.

![Email OTP Verification](https://cdn.auth0.com/blog/email_otp_verification.png)

Auth0 Actions dashboard experience & documentation has been updated to consolidate around the concept of "Triggers" (as opposed to our previous mix of Flows and Triggers). A trigger represent points in the Auth0 process where Actions can be added.

We believe this change will make it easier for you to identify available customization options (now simply labelled as [triggers](https://auth0.com/docs/customize/actions/explore-triggers)) and how they can be leveraged to personalize your identity needs.

![Actions Triggers](//images.ctfassets.net/kbkgmx9upatd/38P4yCQzOavZSewcUVRTOt/f40c6a6df9e9713449d6a1cf74404419/Screenshot_2024-09-25_at_2.27.21_PM.png)

*Please note that this change does not have any impact on the current functional behaviour of Actions within Auht0.*

We are happy to announce that we just added two new endpoints to our Session Management APIs:

[POST  /api/v2/users/{id}/revoke-access](https://auth0.com/docs/api/management/v2/users/user-revoke-access) – This endpoint allows you to revoke sessions for a user and decide if you want to revoke the associated Refresh Tokens.

[POST  /api/v2/sessions/{id}/revoke](https://auth0.com/docs/api/management/v2/sessions/revoke-session) – This endpoint will revoke the session and all its related Refresh Tokens.

Please refer to the [Auth0 Management API](https://auth0.com/docs/api/management/v2/introduction) for more information.


Continuous Session Protection is now generally available for enterprise customers, providing powerful tools to dynamically manage Sessions and Refresh Tokens within Auth0 Actions. This feature offers flexible options to configure expiration settings, access additional session and token data, and revoke sessions when necessary, enhancing security and control.

Key benefits of Continuous Session Protection include:

- Dynamic Session and Token Expiration: Configure custom absolute and idle timeouts for Sessions and Refresh Tokens using the new setExpiresAt(Date) and setIdleExpiresAt(Date) methods. These settings can be applied across users, organizations, or specific connections to meet your security and compliance needs.
- Enhanced Security with Revocation: Revoke Sessions and Refresh Tokens programmatically using Actions, based on custom logic or risk assessments. This allows you to take immediate action when suspicious behavior is detected or when tokens no longer meet your security policies.
- Comprehensive Session and Token Insights: Access additional session and refresh token attributes within Actions, enabling you to make more informed, data-driven decisions for managing user sessions.
- These features allow enterprise customers to dynamically improve their security posture by customizing session behavior, enforcing shorter expiration times for high-risk roles (such as administrators), and revoking tokens when necessary to mitigate risks.

To learn more, visit the product documentation: [Continuous Session Protection](https://auth0.com/docs/secure/continuous-session-protection)

![Continuous-Session-Protection-Action](https://cdn.auth0.com/blog/continuous_session_protection_action.png)

We're happy to announce SaaStart: a complete B2B SaaS reference application built using Next.js, Radix UI and Auth0 by Okta. Clone [the repo](https://github.com/auth0-developer-hub/auth0-b2b-saas-starter) to get a head start on the capabilities that you'll need to support enterprise customers of your SaaS app - like multi-tenant user management and access controls, security policies, self-service Single Sign-On configuration and more...

Give us a holler in [the Auth0 community](https://community.auth0.com/t/saastart-b2b-saas-reference-app/136654) if you have any questions! 

![SaaStart](//images.ctfassets.net/kbkgmx9upatd/5AuSP8nvsE0bdFJJBMpkFy/72720e603b82c460d916c59553442686/Complicated__1_.png)

**Passwordless Connection Support**

Universal Login now supports customizing the passwordless signup and login authentication flows, allowing customers to address their unique data capture, security, and compliance requirements when users authenticate with email and SMS one-time passwords. 

See our [online documentation](https://auth0.com/docs/customize/login-pages/universal-login/customize-signup-and-login-prompts) for more information, instructions and examples.

**Dev Tooling support for the Partials API**

Auth0’s CI/CD tooling (Auth0 CLI, Deploy CLI, Terraform Provider) now fully supports the Partial API including the new Passwordless prompts. As a bonus, Partials can now also be edited using Auth0 CLI’s UL Customize interface. Run `auth0 ul customize` in your terminal to see it in action. To access these new capabilities, upgrade to the latest versions of Auth0 CLI, Deploy CLI, and Terraform Provider.

![Auth0 CLI - Partials API Support](//images.ctfassets.net/kbkgmx9upatd/4aJB7oZYi1eXnqa8QBXURf/b9fc528de063fc07efdf405204ffba68/Screenshot_2024-09-17_at_10.53.42_AM.png)

You are now able to individually test a [Custom Database script](https://auth0.com/docs/authenticate/database-connections/custom-db) for a specific Node runtime version. 

![Test specific runtime version for Custom DB scripts](//images.ctfassets.net/kbkgmx9upatd/67AkIp89UvIo7HkA0sVDO8/a6f5781992d0336c6471ba0e0db65fbe/Screenshot_2024-09-09_at_2.25.32_PM.png)

This will help to validate script changes against a target runtime version before you modify the default global tenant configuration for [Extensibility runtime](https://auth0.com/docs/get-started/tenant-settings#extensibility).

You can read more about how to use this feature [in our documentation](https://auth0.com/docs/authenticate/database-connections/custom-db/custom-database-connections-scripts/environment#testing-a-specific-runtime-version).

We’re excited to announce that Forms is now generally available in Okta Customer Identity Cloud!

This new feature allows you to extend your login and signup flows with additional steps and business logic.

![Forms GA - Preview](//images.ctfassets.net/kbkgmx9upatd/6kZjPUb5ZyeLU8TMcA9u5q/34372ae2940652ee7e599e32db3e9863/forms-ga-overview.png)

What's new:
1. __Pass data between Forms and Actions:__ now you can easily [inject server-side data](https://auth0.com/docs/customize/forms/render#inject-custom-data-with-shared-variables-server-side-) from Actions to Forms, and [use the collected data](https://auth0.com/docs/customize/forms/render#fields-and-shared-variables-data-in-actions) in Forms in your Actions.
2. __New form components:__ [custom fields components](https://auth0.com/docs/customize/forms/custom-field-components) to create your own fields UI with code, image block to personalize your form adding logos or images, and HTML block to customize it with code.
3. __Organizations support:__ forms now inherit organization branding, and there is available [context data](https://auth0.com/docs/customize/forms/variables#available-variables) about the organization you're using.
4. __Management API:__ create and manage forms using the Management API.
5. __Other changes:__ added new templates, rich text editor improvements, and new masking options for your flows.

Learn more:
- [Product documentation.](https://auth0.com/docs/customize/forms)
- [Templates.](https://developer.auth0.com/resources/templates)
- [Blog Post.](https://auth0.com/blog/auth0-forms-go-ga/)

We’re excited to announce that support for [Okta Universal Logout](https://help.okta.com/oie/en-us/content/topics/itp/universal-logout.htm) in Okta Customer Identity Cloud is now in Limited Early Access!

Okta Universal Logout is based on the [Global Token Revocation](https://www.ietf.org/archive/id/draft-parecki-oauth-global-token-revocation-02.html) specification and allows security incident management tools [Okta Identity Threat Protection](https://www.okta.com/products/identity-threat-protection/) to send back-channel requests to revoke application users' sessions and refresh tokens when they identify a change in risk.

With this feature, customers who use [Okta Workforce Connections](https://auth0.com/docs/authenticate/identity-providers/enterprise-identity-providers/okta) in Auth0 no longer need to build their own Global Token Revocation endpoints to support Universal Logout. Simply enable it for your Okta Workforce connection and provide the endpoint URL to the Okta Workforce administrator. 

To enable the Limited Early Access release in your Auth0 tenant, please contact your Technical Account Manager to request access.

We’re excited to announce the introduction of support for multiple Self-Service SSO profiles! This new feature allows you to customize Self-Service SSO profiles configurations to meet your diverse needs, including different required attributes and branding. With this update, you can now tailor SSO setups more precisely to fit your company's unique requirements.

Learn more about Self-Service SSO in the [product documentation](https://auth0.com/docs/authenticate/single-sign-on/self-service-SSO "product documentation").

Within the Security Center Dashboard offering, customers can now set [metric thresholds](https://auth0.com/docs/secure/security-center/security-alerts). This new feature provides Enterprise customers with an enhanced proactive capability around the various Security Center monitors they track. Customers can now configure thresholds on security threat metrics and monitor when threats exceed the acceptable value. 
The feature is available in all Public cloud environments and rolling out to Private spaces throughout the next few weeks.


We are excited to announce that our Bot Detection feature has been upgraded with a new machine learning model specifically designed to detect and prevent signup attacks. This enhancement integrates advanced ML capabilities into our proprietary Bot Detection system, significantly improving the identification of fraudulent account creation attempts.

This feature is currently available in the New Universal Login experience, providing added security for customers utilizing our latest UI. For customers using the Classic Login or custom UI, we are evaluating options to extend these capabilities in the future.

As always, to activate Bot Detection or if you require more detailed information, please visit our [online documentation](https://auth0.com/docs/secure/attack-protection/bot-detection) or contact your account team. We are here to assist you in ensuring your systems remain secure against evolving threats.

Okta FGA has now two deployment options: public cloud and private cloud. The public cloud option is a multi-tenant SaaS service available in three geographies: the United States, Europe, and Australia, offering a highly available multi-region deployment. The private cloud option, on the other hand, is tailored for enterprises seeking dedicated resources. Okta FGA Private Cloud leverages the same architecture principles that have been battle-tested with Auth0 for over two years.

Private Cloud for Okta FGA has the following benefits:

- Higher RPS: Private cloud instances are optimized for high request-per-second (RPS) performance, scaling up to five times the average RPS based on your application’s needs. 
- High Availability: Okta FGA for Private Cloud is always deployed in two AWS regions with active-active data replication, minimizing the chances of being impacted by an AWS region outage.
- Data Residency and Compliance: Deploy your Private Cloud environment in any AWS region to meet specific data residency and compliance requirements. Initial regions include the US, Germany, Ireland, UK, France, Japan, India, Singapore, Australia, and Brazil.
- Reduced Latency: Choose the AWS region closest to your application servers, which will significantly reduce latency for faster access control checks.
- Multi-Geography Deployments: Businesses can replicate the same authorization data across multiple regions worldwide, allowing them to maintain low-latency authorization services even for globally distributed applications. For example, a company can have the same data in the US, EU, and Australia, have their authorization data replicated across all regions, and have their applications routed to the closest region.
- Automated, Hardened Release: Benefit from automated weekly releases that are previously validated in Okta’s public cloud deployments.
- Centralized Management: Customers can manage both private and public cloud instances seamlessly from the Okta FGA dashboard.

Learn more in the [product documentation.](http://docs.fga.dev/okta-fga-private-cloud)


__[Prioritized Log Streams](https://auth0.com/docs/secure/security-center/prioritized-log-streams)__ is now Generally Available (GA) 

Now, Enterprise customers can stream a predefined set of security risk-related log events through a dedicated architecture with higher confidence. Customers can stream events to SIEM tools, monitor, and take action on Security events without interruption when there is an attack on the customer’s tenant or abnormally high user activity.

The feature is available in all Public cloud environments and rolling out to Private spaces throughout the next few weeks.


We are pleased to announce that developers using Okta FGA now have a way to specify their required consistency level when querying Okta FGA.

To minimize latency, Okta FGA uses two levels of caching that can result on permissions changes not being reflected in authorization queries for up to 20 seconds. 

All query APIs (Check, Read, ListObjects, ListUsers, Expand) now have an additional optional parameter with two possible values:

- __MINIMIZE_LATENCY__ (default): Okta FGA will try to minimize latency (e.g. by making use of the cache)
- __HIGHER_CONSISTENCY__: Okta FGA  will try to optimize for stronger consistency (e.g. by bypassing cache)

When using HIGHER_CONSISTENCY, latency will be higher as Okta FGA will ready directly from the database. Developers need to make the trade off between consistency and latency depending on the use case.

All SDKs were updated with support for the new parameter.

You can learn more in the [Okta FGA documentation](http://docs.fga.dev/writing-data/consistency-modes).

Introducing a new capability within the Security Center Dashboard offering - [__Security Center Thresholds__](https://auth0.com/docs/secure/security-center/security-alerts) Early Access. This new feature provides Enterprise customers with an enhanced proactive capability around the various Security Center monitors they track. Customers can now configure thresholds on security threat metrics and monitor when threats exceed the acceptable value. The feature is available in all Public cloud spaces and will roll out to private spaces with the General Availability announcement.

Following on the objective to improve the capabilities to dynamically manage Sessions and Refresh Tokens, we are happy to announce that we have added new methods to control the expiration of Sessions and Refresh Tokens using Actions.

Now you can control the absolute and inactivity timeouts with the new `setExpiresAt(Date)` and `setIdleExpireAt(Date)` methods, available for post-login Action objects `api.session` and `api.refresh_token`.

They can be used in different use cases, for example, you can improve your security posture by enforcing shorter expiration times for administrators, specific Connections or Organizations.

To learn more, read our public docs: [Sessions with Actions](https://auth0.com/docs/manage-users/sessions/manage-sessions-actions) and [Refresh Tokens with Actions](https://auth0.com/docs/secure/tokens/refresh-tokens/manage-refresh-tokens-actions).

They are now available in Private Early Access. If you are an Enterprise customer, please reach out to your Technical Account Manager (TAM) to request access.

![Session-setExpiration-Actions](https://cdn.auth0.com/blog/Session_setExpiration.png)


We’re excited to announce that __Self-Service SSO__ on Customer Identity Cloud, powered by Auth0 is now in __Early Access__. 

This capability aims to streamline the administrative tasks that are critical for every B2B SaaS product. Our Self-Service SSO feature, provides our business customers' customer with a flexible, user-friendly experience for configuring their own single sign-on setups.

These capabilities are now available in Early Access. If you are a B2B Professional or Enterprise customer, please reach out to your Auth0 account contact to request access.

![Self-Service SSO ](//images.ctfassets.net/kbkgmx9upatd/4WwCf47yQtDXhs4AVl8WwL/f9ad7d23e03d6f9e2c228b8198f6fe53/image1.gif)

Starting __February 23rd, 2025__, Auth0 will begin removing the ability to use the legacy, non-compliant UI for Universal Login. The new WCAG compliant version ensures that end users, including those who rely on assistive technology, can access and engage with a customer’s product or service. Read our [Universal Login Accessibility documentation](https://auth0.com/docs/authenticate/login/auth0-universal-login#accessibility) for more information.

We're excited to announce the Early Access launch of Guide - an Okta AI powered chatbot here to answer your questions about the Auth0 platform.

### What is Guide?
Guide is your new go-to for quick answers on all things Auth0. It pulls information from our docs, blog, and community to provide summarized responses and relevant links. You can access Guide by clicking the "Ask Guide" button in the top-right of your Auth0 Dashboard. Just ask your question and let Guide do the work.

### Availability
Guide is available to tenants in the US Public Cloud region. Guide will be rolled out to all Public Cloud regions in the near future.

Okta CIC is happy to announce the next major version of the React Native SDK. With [react-native-auth0 v4](https://github.com/auth0/react-native-auth0 "GitHub: react-native-auth0 v4"), developers will be able to use advanced biometric authentication to obtain credentials. This new SDK version also makes it possible to switch between domains for authentication. We’re planning to release a GA version later in Q3 with major improvements to the SDK architecture and other new features.

###### What’s new
1. __Advanced Biometric Authentication:__ Use FaceID/Fingerprint to perform device authentication before obtaining credentials.
2. __Domain Switching:__ Dynamically switch domain/clientID to offer a personalised and contextual authentication experience.

###### Learn More
1. [Migration Guide](https://github.com/auth0/react-native-auth0/blob/master/MIGRATION_GUIDE.md#upgrading-from-v3---v4 "Migration Guide")
2. [Implementation Guide: Advanced Biometric Authentication](https://github.com/auth0/react-native-auth0/blob/master/README.md#requiring-authentication-before-obtaining-credentials "Implementation Guide: Advanced Biometric Authentication")
3. [Implementation Guide: Domain Switching](https://github.com/auth0/react-native-auth0/blob/master/EXAMPLES.md#domain-switching "Implementation Guide: Domain Switching")
