https://auth0.com/changelog/rss.xml Auth0 Changelog en-US Fri, 08 May 2026 13:20:59 GMT https://validator.w3.org/feed/docs/rss2.html https://cdn.auth0.com/website/feed/auth0-logo.png https://auth0.com/changelog/rss.xml Wed, 06 May 2026 00:00:00 GMT We are excited to announce Auth for MCP is now Generally Available. Auth for MCP gives you a straightforward way to add authentication and authorization to any MCP server, so you control exactly who gets access, and what they get access to. Implement authentication, CIMD registration, and OBO token exchange for AI agents. Auth for MCP is a product capability that uses the combination of the following features: ### Client ID Metadata (CIMD) Registration (GA) For MCP clients to connect to MCP servers, they need to identify themselves. But how does a server trust a new client it's never seen? The MCP spec solves this by recommending the use of CIMD: each client hosts a document containing its metadata at a URL that identifies the client. In Auth0, tenant admins provide that URL, and Auth0 fetches the metadata, validates it, and displays it for confirmation before creating the client. You get control over which clients can access your MCP server ensuring no surprise registrations. ### On-Behalf-Of Token Exchange (GA) After a user's agent authenticates with an MCP server and issues a request, it needs to call another API like a Salesforce instance or HR system to finish the job. The question is: how does that second API know the request is legitimate and who it's actually for? On-Behalf-Of Token Exchange lets MCP servers trade the user’s access token for one that works with the downstream API, scoped correctly and still tied to the original user. No shared secrets, no service accounts with too much power. And full auditing and visibility into every action. ### Resource Parameter Compatibility Mode (GA) The MCP spec uses "resource" identifiers to indicate which server an agent wants to talk to, rather than the "audience" parameter that OAuth has traditionally used. Auth0 now supports this natively, allowing MCP implementations to stay spec-compliant without workarounds or translation layers. ### Enhanced Security Controls for Third-Party Applications (GA) As you open your APIs to AI agents, partners, and developer ecosystems, third-party applications need to be secure by default. The recently shipped Enhanced Security Controls gives third-party apps a production-ready, secure-by-default posture, with the control you need over what external applications can access. ### Documentation Links - [Register Applications with CIMD](https://auth0.com/docs/get-started/auth0-overview/create-applications/register-applications-with-cimd) - [On-Behalf-Of Token Exchange](https://auth0.com/docs/secure/call-apis-on-users-behalf/on-behalf-of-token-exchange) - [Auth for MCP Quickstart](https://auth0.com/ai/docs/mcp/get-started/call-your-apis-on-users-behalf) https://auth0.com/changelog#6SeJmK4wyY7sizFRsLJvvq Wed, 06 May 2026 00:00:00 GMT __What's Changing:__ We are fixing an issue where Auth0 was including an empty `login_hint` query parameter when redirecting users to external identity providers. Going forward, `login_hint` will only be included in the authorization request when a value is actually present. __Why This Matters:__ Some external OAuth providers strictly validate request parameters and reject authorization requests that contain empty parameter values. This caused authentication failures for customers whose upstream identity providers do not tolerate empty `login_hint` values — particularly in scenarios where customers do not control the external IdP and cannot modify its validation behavior. __Rollout Timing:__ This fix will be rolled out progressively over the next 1–2 weeks. __Action Required:__ No action is required from customers. If you previously implemented a workaround by [overriding connection parameters](https://auth0.com/docs/authenticate/identity-providers/pass-parameters-to-idps#update-the-connection-static-) to suppress the empty `login_hint`, you may optionally remove that override after confirming the fix is active in your environment. https://auth0.com/changelog#20FMZ1MYg5HlOYzM1fwZux Wed, 06 May 2026 00:00:00 GMT  We're excited to announce that __Resend__ is now __Generally Available__ as an out-of-the-box email delivery provider in Auth0! With this release, you can now configure Resend as your email delivery provider with built-in configuration directly within Auth0. Resend offers a modern, developer-friendly approach to transactional email with excellent deliverability and a clean API. Check out our [documentation](https://auth0.com/docs/customize/email/smtp-email-providers/resend) for detailed setup instructions. Have questions or suggestions? Reach out to us in our community channel and we'd love to hear how Resend is working for you! --- *This feature is available on all Auth0 plans.* https://auth0.com/changelog#6ebGxL02wewJCMS5nW2mNc Tue, 05 May 2026 00:00:00 GMT Private Key JWT assertions and expanded signing algorithm support are now generally available across Enterprise Okta and OIDC Connections. Private Key JWT assertions deliver enterprise-grade security by leveraging asymmetric cryptography to authenticate against your upstream Okta and OIDC identity providers. You now have full control over which signing algorithms Auth0 uses when generating client assertion JWTs - giving you the flexibility to align with your security standards and existing infrastructure. We've also expanded ID token verification on enterprise connections to support additional signing algorithms: RS384, RS512, PS256, PS384, ES256, and ES384. This means fewer integration headaches when connecting to upstream identity providers and greater compatibility across your authentication flows. These capabilities put you in the driver's seat: choose the cryptographic methods that work best for your environment, eliminate integration blockers, and stay ahead of evolving security standards. Please refer to the [product documentation](https://auth0.com/docs/authenticate/enterprise-connections/private-key-jwt-client-auth). https://auth0.com/changelog#2ckvKtsLDrmK7m1283Tjb8 Tue, 05 May 2026 00:00:00 GMT  We're excited to announce the new __CMD+K Command Palette functionality__ is now available to all users in the __Auth0 dashboard__. Get instant access to navigation, quick actions and recently visited pages all from a single keyboard shortcut. __What’s new:__ - __Globally available:__ Always accessible from any page by entering CMD+K. - __Quick navigation:__ Jump to any page, feature, or setting without leaving the keyboard. - __Recently visited:__ Have your last 3 visited pages available at the top. - __Action shortcuts:__ Execute common tasks directly from the palette. - __Contextual actions:__ Get tasks specific to pages right in CMD+K. To keep improving this experience, we’ll be continuously adding more contextual actions and capabilities to the __CMD+K Command Palette__. https://auth0.com/changelog#3mhwjZdB3L7vXnesSa5t8E Thu, 30 Apr 2026 00:00:00 GMT We're excited to announce that **Enhanced Security Controls for Third-Party Applications** is now Generally Available for all Auth0 customers. As you open your APIs to AI agents, customers, partners, and external developers, you need strong security defaults for third-party applications. Enhanced security controls give third-party applications a secure-by-default posture, so Auth0 does the heavy lifting, and you stay in control of what external applications can access. **What's included:** * **Strict security mode** for third-party applications (`third_party_security_mode: 'strict'`) * **OAuth 2.1 alignment**: mandatory PKCE, restricted grant types * **Explicit API authorization**: third-party applications always require a client grant to access an API * **Default permissions for third-party applications**: configure default API permissions that apply automatically to all third-party applications, including those created via **Dynamic Client Registration** * **Open redirect protection**: configurable `redirection_policy` to prevent redirect-based attacks * **Reduced attack surface**: curated property allowlist and feature restrictions  **For existing customers using third-party applications**: Your existing applications continue to work exactly as they do today — no changes required. A 6-month migration window gives you time to adopt enhanced security controls for new application creation. Review the [migration guide](https://auth0.com/docs/troubleshoot/product-lifecycle/deprecations-and-migrations/migrate-to-enhanced-security-third-party-applications) for detailed steps. To learn more, visit the [Third-Party Applications documentation](https://auth0.com/docs/get-started/applications/third-party-applications). https://auth0.com/changelog#YcrZfUuth36sz2ZLClPEh Thu, 30 Apr 2026 00:00:00 GMT __What is a Permissions Index?__ In relationship-based access control like FGA, checking for permissions requires traversing a complex graph of relationships to find a valid path between a user and an object. The [FGA Permissions Index](https://docs.fga.dev/permissions-index/fga-permissions-index) anticipates this time-consuming traversal by pre-calculating every possible permission path and storing them as direct, user-to-object relationships. Whenever an indexed relationship is added or revoked in FGA, an incremental compute engine cleverly remembers which parts of the graph are affected, quickly ‘flattens’ those relationships, and enables a simple, efficient lookup at query time, no real-time graph traversal necessary. This makes it easier to power traditionally diffucult authorization use cases such as [enterprise search](https://docs.fga.dev/integration/advanced/search-with-permissions) and AI retrieval (like RAG) over large datasets without repeatedly traversing the authorization graph every time. The Developer Preview of FGA Permissions Index is available to any existing FGA enterprise customer. [Get started](https://docs.fga.dev/permissions-index/getting-started) today! __Learn more__: - [What is a Permissions Index?](https://docs.staging.fga.dev/permissions-index/fga-permissions-index#what-is-a-permissions-index) - [Permissions Index Best Practices](https://docs.fga.dev/permissions-index/best-practices)  https://auth0.com/changelog#5KDss6efgwLvwrnUYFADEs Thu, 30 Apr 2026 00:00:00 GMT Event Streams is now available for all customers in General Availablity. Customer can: - Subscribe to Auth0 User, Organizations, and Groups (Early Access Limited Release) Events - Deliver Events to AWS EventBridge, Auth0 Actions, and Webhooks (including to [Okta Workflows](https://help.okta.com/wf/en-us/content/topics/workflows/execute/flow-api-endpoint.htm "Okta Workflows") via Customer Header Auth) - Consume events via the Events API See the [Auth0 Docs](https://auth0.com/docs/deploy-monitor/events "Event Streams") and [Event Catalog](https://auth0.com/docs/events "Event Catalog") for further instructions. https://auth0.com/changelog#fuWON1ktuPMy4n09B1mrR Tue, 28 Apr 2026 00:00:00 GMT We're excited to announce that __Self-Service Domain Verification is now in General Availability__! Allow your customers' IT admins to verify their own email domains for HRD directly within the SSO setup assistant — no back-and-forth with your team required. Key Advantages at a Glance: - Proven ownership: IT admins verify domains via DNS TXT record. - Flexible requirements: Configure domain verification as off, optional, or required — per customer engagement. - Domain management: IT admins can now add, re-verify, and delete domains entirely through self-service. - Enterprise-ready controls: Pre-configure domains for your customers to verify, or pre-verify domains on their behalf — with verified domains automatically powering Organization Discovery when enabled. To dive deeper, please review our updated documentation on[ Self-Service Enterprise Configuration](https://auth0.com/docs/authenticate/enterprise-connections/self-service-enterprise-config). https://auth0.com/changelog#6ALAmotlACYGqbTE8UoJ3 Tue, 28 Apr 2026 00:00:00 GMT We’re thrilled to announce that the __Self-Service Provisioning experience is now in General Availability__! Empower your customers' IT teams to handle user onboarding and offboarding themselves, which means less manual work and fewer support tickets for your team. __Key Advantages at a Glance__ - Automation: Allow your customer's admins to manage their own SCIM setup. - Interoperability: Ensure seamless integration with a wide variety of customer IdPs. - Consistency: Use a single, unified schema for easier support and debugging. - Flexibility: Retain the ability to override attribute mappings for specific protocols if needed.  To dive deeper, please review our updated documented on [Self-Service Enterprise Configuration](https://auth0.com/docs/authenticate/enterprise-connections/self-service-enterprise-config). https://auth0.com/changelog#3TqcZNu5FJI7nIrTd4C59S Tue, 28 Apr 2026 00:00:00 GMT We're thrilled to announce that __Organization Discovery by Domain is now in General Availability__! Automatically identify your customers' users and route them to the right identity provider based on their email domain — before they even reach the login screen. Key Advantages at a Glance: - Automatic routing: Direct users to their organization's IdP the moment they enter their email — no manual org selection required. - Multi-org support: When a single domain maps to multiple organizations, an org picker ensures users land in the right place. - Seamless B2B login: Eliminate the friction of Home Realm Discovery by adding full organization context to the pre-login flow. - Flexible configuration: Support email-based, org-name-based, or combined discovery to match your customers' login requirements. To dive deeper, please review our documentation [here](https://auth0.com/docs/manage-users/organizations/login-flows-for-organizations#organization-domain-discovery-optional). https://auth0.com/changelog#1PKSNs4ANJ6DkZWjq9d203 Tue, 28 Apr 2026 00:00:00 GMT The new name better reflects the full scope of the suite, which includes: - Single Sign-On (SSO): Allow enterprise customers to configure and maintain SSO for their applications. - Domain Verification: Self-managed domain verification and mapping for IT admins. - Google Directory Sync: Keep user attributes synchronized across systems. - User Provisioning: Automate the user lifecycle through SCIM 2.0. No functional changes — everything works the same. For full details, see the [Self-Service Enterprise Configuration](https://auth0.com/docs/authenticate/enterprise-connections/self-service-enterprise-config) documentation. https://auth0.com/changelog#25JUjMOH28xo3ysd3seeqa Thu, 23 Apr 2026 00:00:00 GMT Auth0 Private Cloud is now supported in the Azure Japan East (Tokyo) region! Japan already has Auth0 coverage through AWS Private Cloud and our Public Cloud environment, and this addition brings Azure into the mix for the first time. Organizations can now deploy Auth0 Private Cloud in-country on Azure, giving them a dedicated identity infrastructure with the latency and data residency benefits of a local deployment. This expansion reflects our ongoing commitment to meeting customers where they are — on the cloud platform and in the geography that works best for them. https://auth0.com/changelog#4O6ALxGyt6yFHtkcW90rmD Wed, 22 Apr 2026 00:00:00 GMT We're excited to announce that Dry Run on Auth0 Deploy CLI is now Generally Available — giving developers full visibility into tenant changes before they're applied. __Key Benefits:__ - Preview changes before they hit your tenant. Run a0deploy import --dry-run to see exactly what resources will be created, updated, or deleted — then exit safely. No changes applied, no surprises in production. - CI/CD-native by default. Dry Run is now non-interactive out of the box, so it works in GitHub Actions, Jenkins, and any headless pipeline. Use --dry-run --apply to show the plan and deploy without prompting — full visibility, zero manual intervention. - Flexible review modes. Need manual control? --dry-run --interactive gives you the review menu to apply, export to JSON, or exit. Choose the workflow that fits: automated gates in CI, manual review locally. __What's new in GA (beyond EA):__ - --dry-run is now non-interactive by default (was interactive-only in EA) - --dry-run --apply: preview then deploy without prompting — built for CI pipelines - --dry-run --interactive: opt into the EA interactive menu when you want it - Backward-compatible Node module API (AUTH0_DRY_RUN: true still works) __Getting Started:__ - [Documentation](https://github.com/auth0/auth0-deploy-cli/blob/master/docs/using-dry-run.md) - [Official Repo](https://github.com/auth0/auth0-deploy-cli) https://auth0.com/changelog#31ExGKQkdxxa7L4HWJPZzY Tue, 21 Apr 2026 00:00:00 GMT We are excited to announce the Actions TypeScript definitions are now available on GitHub and npm. - GitHub Repository: [https://github.com/auth0/auth0-actions](https://github.com/auth0/auth0-actions) - NPM Package: [https://www.npmjs.com/package/@auth0/actions](https://www.npmjs.com/package/@auth0/actions) These resources provide the official Actions TypeScript definitions, helping developers and AI agents write better code when building Actions outside of the Management Dashboard's editor. To learn more, check out the [Actions NPM Docs](https://auth0.com/docs/customize/actions/actions-npm "Actions Types Docs") and the [Actions Unit Test Docs](https://auth0.com/docs/customize/actions/actions-unit-test "Actions Unit Test Docs"). https://auth0.com/changelog#3Hw5SUItRR6ZDls01MMVUC Mon, 20 Apr 2026 00:00:00 GMT After May 11, 2026, Auth0 is ending the Free Trial for the [Mobile Driver’s License (mDL) Verification Service Early Access](https://auth0.com/docs/secure/mdl-verification) and will remove access to the mDL Verification Service for tenants that enrolled in Early Access. While we are not planning to move forward with mDL Verification Service capabilities as part of the Auth0 product, if you are still interested in capabilities related to verifiable digital credentials (VDCs) and want to learn how Okta is shaping the future with VDCs, visit [oktacredentials.dev](https://oktacredentials.dev) or read about the [Okta Digital ID Verification Beta](https://www.okta.com/blog/product-innovation/okta-digital-id-verification-beta/). To join the Beta and get involved, [fill out this short form](https://surveys.okta.com/jfe/form/SV_6yDRiNg5bYVcttI) or email the team directly at `oktacredentials@okta.com`. https://auth0.com/changelog#37Bpvtxbjs4NAeKFJOxqdD Fri, 17 Apr 2026 00:00:00 GMT __v4.8.1 — Custom Domain Hook__ Added support for a new [Custom Domain Hook](https://auth0.com/docs/customize/extensions/delegated-administration-extension/delegated-administration-hooks/delegated-administration-custom-domain-hook) in the Delegated Administration Extension. This hook allows you to customize behavior when [Multiple Custom Domains](https://auth0.com/docs/customize/custom-domains/multiple-custom-domains) are in use. __v4.8.3 — Compatibility fix for deprecation of enabled_clients on connections__ The extension has been updated to remove its dependency on the deprecated enabled_clients field on connections. If your tenant uses the Delegated Administration Extension, you may have been seeing deprecation warning errors in your tenant logs. This release resolves that. __Action recommended before July 15:__ Auth0 is deprecating legacy management of a connection's enabled clients. See the [deprecation notice](https://auth0.com/docs/troubleshoot/product-lifecycle/deprecations-and-migrations#legacy-management-of-connection's-enabled-clients) for full details. Updating to v4.8.3 ensures the extension is compatible with this change. __Upgrading__ Not on v4.8.x: Manually update the extension in your Auth0 tenant by navigating to Extensions → Installed Extensions, locating the Delegated Administration Extension, and clicking Update. Already on v4.8.x: No action required — the patch has been automatically applied. https://auth0.com/changelog#5agVKVb0XqU9j5y8Z2S12t Fri, 17 Apr 2026 00:00:00 GMT We are excited to announce the next phase of our __Google Workspace Directory Sync for Groups__ Early Access! Building on our initial Early Access [release](https://auth0.com/changelog#6WhEr0c0yB3K5oh7jiPADP), this update introduces __Partial Group Sync__, giving you exact control over which Enterprise Groups to import from your Google Workspace Directory into Auth0. __What's new:__ - Targeted Group Sync: Instead of syncing your entire directory, you can now choose to synchronize only a specific subset of your Google Workspace groups. Easily manage your selected groups through either the Management Dashboard or Management API. __How to join Early Access:__ To join the EA program, please complete the [EA Terms & Conditions form](https://forms.gle/9MK4hnQUW8AVfREZ9) and contact your Auth0 Account Team to request activation and supporting documentation. https://auth0.com/changelog#3sQ4fmmnZQuIAu9jZBoBOS Tue, 14 Apr 2026 00:00:00 GMT Following the successful Early Access period that began on August 11, 2025, we are excited to announce that MRRT is now available to all customers with full production support. This is a powerful enhancement that simplifies token management and modernizes app architecture across both native and web platforms --- ### What's New in GA #### ✨ Auth0 Dashboard Support - **Configure MRRT policies directly in the Dashboard** — No more Management API-only configuration - **Visual refresh token policy editor** — Easily add, remove, and modify audience/scope policies for your applications - **Application settings integration** — MRRT configuration is now available under the Application > Settings page #### 🔒 Enhanced Security with Client Grants Integration - **Client Grants enforcement** — MRRT now respects Client Grants restrictions, ensuring applications can only request access tokens for APIs they are authorized to access - **Improved validation** — Better error messages when attempting to configure unauthorized audience/scope combinations #### 🐛 Bug Fixes and Improvements (based on EA feedback) - Fixed: Token exchange now properly validates scopes against both MRRT policy and Resource Server definitions - Fixed: Improved error handling when requesting access tokens for deleted or modified Resource Servers - Fixed: `org_id` claim is now correctly preserved in access tokens when using MRRT with Organizations - Fixed: Refresh token rotation works correctly when exchanging tokens for different audiences - Improved: Better logging in tenant logs (`type: sertft`) for MRRT token exchanges - Improved: More descriptive error messages for unauthorized audience requests #### 📦 SDK Updates - **iOS SDK (Auth0.swift)** — Full GA support - **Android SDK (Auth0.Android)** — Full GA support #### 🛠️ Developer Tooling - **Auth0 CLI** — Full support for configuring MRRT policies - **Terraform Provider** — Complete resource configuration for refresh token policies - **Auth0 Deploy CLI** — Full support for managing MRRT configurations in deployment pipelines ## Documentation Links - [Multi-Resource Refresh Token Overview](https://auth0.com/docs/secure/tokens/refresh-tokens/multi-resource-refresh-token) - [Configure and Implement MRRT](https://auth0.com/docs/secure/tokens/refresh-tokens/multi-resource-refresh-token/configure-and-implement-multi-resource-refresh-token) - [Management API - Update Client](https://auth0.com/docs/api/management/v2/clients/patch-clients-by-id) https://auth0.com/changelog#3R4EktlkSnNsaB2TtXBk0B Mon, 13 Apr 2026 00:00:00 GMT Demonstrating Proof of Possession (DPoP) sender constraining for Enterprise Connections is now available in Early Access. Customers can now establish Okta and OIDC Enterprise Connections with DPoP enabled on those connections. This is available on all plans with Enterprise Connections. DPoP for Enterprise Connections enables Auth0 to generate DPoP proofs when performing token exchange and calling userinfo endpoints on upstream OIDC and/or Okta connections. DPoP is a core building block of FAPI2 and IPSIE (Identity Proofing and Secure Identity Exchange) ecosystems. It provides a lightweight, standards-based way to enforce proof-of-possession (of a private key) without the operational overhead of mTLS token binding. Please see [product documentation](https://auth0.com/docs/authenticate/enterprise-connections/enable-dpop-enterprise-connections) for details. https://auth0.com/changelog#3kRaHbKHHvaDZjqdKFSNX2 Thu, 09 Apr 2026 00:00:00 GMT __Auth0 Akamai Supplemental Signals is now GA__ and available across the full authentication lifecycle. This update allows developers to ingest risk scores and edge intelligence from Akamai Bot Manager and Account Protector into several new Action triggers: __Pre-User Registration__, __Post-User Registration__, __Post-Challenge__, and __Post-Change Password__. By integrating these signals directly into the Auth0 pipeline, organizations can stop automated bot signups before an account is created and enforce real-time security logic during critical events like password resets or MFA challenges. To learn more about __Akamai Supplemental Signals__ and how to set it up review our online documentation [here](https://auth0.com/docs/secure/attack-protection/configure-akamai-supplemental-signals) https://auth0.com/changelog#5HgzBbwQyUv6qtPHjfV0mX Thu, 09 Apr 2026 00:00:00 GMT The call to action for the Universal Login forgot password flow has been updated from "Forgot Password" to "Reset Password." This aligns all Universal Login CTAs to be action-oriented. The updated text is available across all languages supported by Auth0. Customers who want to keep the original "Forgot Password" text can restore it via language customization at Branding > Universal Login > Edit text and translations. Learn more: https://auth0.com/docs/customize/login-pages/universal-login/customize-text-elements https://auth0.com/changelog#ZTobrcpU7AQ3v37HPRDWa Thu, 09 Apr 2026 00:00:00 GMT We are excited to announce the __Early Access (EA)__ release of the __My Organization API__ and a library of __Embeddable UI Components for Organization Detail and Identity Provider Management__. Every B2B product needs an admin console for customers to manage their own members and security. This new feature set empowers B2B SaaS developers to deliver robust self-service experience for admins in a matter of days, not months. The __My Organization API__ removes the need to build complex interfaces from scratch. With a secure governance layer that integrates seamlessly with your application, developers can easily deliver sophisticated, branded admin portals that meet the needs of even the largest customers without extra operational overhead. __Key Highlights:__ __My Organization System API__: A purpose-built API designed for secure, scalable delegated administration, allowing customers to manage organization details and identity providers directly. __Embeddable UI Components__: A library of white-label building blocks that can be dropped into any application to provide instant self-service management for SSO, domains, and members. __Security-First Primitives__: Built-in support for cryptographically bound tokens via DPoP and automatic step-up authentication that triggers inline MFA for privileged actions. __Intelligent Onboarding__: A new Dashboard-based onboarding wizard that simplifies configuration with safe defaults, automated entity setup, and a test environment. __B2B Observability and Governance__: Enhanced tenant logs and per-organization rate limiting ensure full visibility into administrative actions while protecting tenant stability. __Interactive Developer Tools__: A modernized API Explorer and extensive SDK support across multiple languages allow developers to integrate and test administrative activity at scale. __Why This Matters:__ This release moves beyond simple API access to a unified governance layer for human and machine identity. Modern primitives like automatic least privilege ensures administrative sessions are always secure and context-aware. The result? Enterprise buyers can now get granular access levels and organization-specific rate limits they expect without the complexity of building custom backend middleware yourself. This feature is available for all tenants. To begin, navigate to the __Applications > APIs __section of your Dashboard to activate the My Organization API. To learn more, read the [My Organization API documentation](https://auth0.com/docs/manage-users/my-organization-api) and if you have any feedback, give us a shout in our community channel! https://auth0.com/changelog#7wWQexQzB29PXNwEFJhAZA Wed, 08 Apr 2026 00:00:00 GMT We’re excited to announce that __Multiple Custom Domains (MCD)__ is now __Generally Available__. With Multiple Custom Domains, Enterprise customers can support __multiple branded login experiences from a single Auth0 tenant__. This helps you deliver more tailored authentication experiences across __consumer applications__, __multi-brand businesses__, and __B2B SaaS use cases__. MCD GA includes support for: - Configuring __custom domains at scale__ within a single tenant - A __default domain__ for streamlined development and testing - __Passkey enrollment__ on custom domains - __B2B SaaS Self-Service SSO__ customizations - __Custom domain metadata__ in __Advanced Customizations for Universal Login (ACUL)__ - Support across __Management SDKs__, __Authentication SDKs__, and __Forms__ Visit [Auth0 docs](https://auth0.com/docs/customize/custom-domains/multiple-custom-domains) to get started. https://auth0.com/changelog#52jneyDuedriHasGYwAOQw Wed, 08 Apr 2026 00:00:00 GMT Auth0 developers leveraging [Express Configuration with Okta](https://auth0.com/docs/authenticate/identity-providers/enterprise-identity-providers/okta/express-configuration) now have a more streamlined process for submitting their application to the Okta Integration Network. The Okta Integration Network (OIN) Wizard has been updated with a new section for Auth0 developers that automatically populates the required configuration fields for OpenID Connect (OIDC), System for Cross-domain Identity Management (SCIM), and Global Token Revocation (GTR) integrations, based on information sourced from the Auth0 Dashboard. To learn more about Express Configuration with Okta and the Okta Integration Network (OIN), [click here](https://auth0.com/docs/authenticate/identity-providers/enterprise-identity-providers/okta/express-configuration). https://auth0.com/changelog#4SIYjVxOsFw6paD8OcEu8l Tue, 07 Apr 2026 00:00:00 GMT We are excited to introduce __Developer Preview__, a new product release stage designed to get upcoming capabilities into your hands faster! Developer Preview serves as a new release phase for new Auth0 product introductions. We utilize this stage when a new product capability will eventually be a paid feature, but we want to grant you access before the official pricing is applied. Key Highlights: - __Free Production Access__: You can use Developer Preview features in your production environments for free during the preview period. - __Clear Expectations__: Participating in a Developer Preview provides a clear signal that the feature will include a paid component once it reaches General Availability (GA). - __Help Shape the Product__: Getting these features to you early allows us to collect valuable feedback to iterate on prior to the GA launch. To participate in an active Developer Preview, you will simply need to sign up and accept the specific opt-in requirements for that feature. To learn more about how Developer Preview fits into our overall release process, visit our updated [Product Release Stages documentation](https://auth0.com/docs/troubleshoot/product-lifecycle/product-release-stages). https://auth0.com/changelog#1f7TwWKr5f9m3oy4e4vmLE Thu, 02 Apr 2026 00:00:00 GMT You can now manage custom authentication screen partials directly in the Auth0 dashboard with a purpose-built visual editor. Instead of encoding HTML as strings and sending them through the API, you get a proper code editor with syntax highlighting and live feedback.  The editor includes supporting tools: - **Code snippet library:** pre-built snippets for common use cases like first and last name, phone number, terms of service checkboxes, and more, ready to insert with a click - **Template variable reference:** a clickable list of all context variables available in the partial, for quick insertion without leaving the editor - **Actions shortcut:** open Actions in a new window directly from the editor - **Interactive preview:** click into entry points to edit HTML inline, see visually which entry point each element belongs to, and toggle entry point wrappers off to preview what the prompt looks like in the login flow This update also expands what's possible with partials: - **Passkey screens:** customize passkey authentication screens anywhere they appear in your flow; data capture is supported in the signup flow - **Custom database connections:** data captured from partials is now surfaced in custom database connection scripts Head over to the [Auth0 Docs](https://auth0.com/docs/customize/login-pages/universal-login/customize-signup-and-login-prompts) to learn more. https://auth0.com/changelog#3MZj1D42UqFktc1W2YauoP Thu, 26 Mar 2026 00:00:00 GMT ## What's new:                                                                                                   We've updated session handling in SAML-P and WS-Fed authentication flows to align with industry best practices and our existing OAuth2/OIDC behavior. Following a successful login via SAML-P or WS-Fed, the session ID will now be rotated and a new session cookie will be issued. ## What this means for you:                                                                        If your implementation includes client-side logic, downstream services, or integrations that read or store session IDs across SAML-P or WS-Fed login flows, you will now receive a new session ID after authentication completes. Please review and update any such implementations accordingly. This change brings SAML-P and WS-Fed session handling in line with the existing behavior of OAuth2 and OIDC flows, ensuring consistent and secure session management across all authentication protocols. https://auth0.com/changelog#7ahFabBSSuqU5So54b78C1 Tue, 17 Mar 2026 00:00:00 GMT We are excited to announce the release of auth0-springboot-api, a new official SDK designed to streamline authentication and security for Spring Boot backend applications. __Key Benefits:__ - __Supports Spring Boot 3.2+ (Java 17+)__ and built for the modern filter-chain pattern.Developers can secure an API by injecting Auth0AuthenticationFilter into their SecurityFilterChain — just configure auth0.domain and auth0.audience in application.yml and go. - __Abstracts the complexity of JWT validation__. Developers no longer need to write fragile boilerplate code to check Audiences or Issuers. The SDK handles JWKS fetching, token validation, and scope-to-authority mapping (SCOPE_ prefix) out of the box. - __Supports DPoP with flexible enforcement modes__ (Allowed, Required, Disabled). Enterprise customers can enforce proof-of-possession token security per RFC 9449 with a single config property — no controller changes needed. __Getting Started:__ - [Quickstart](https://auth0.com/docs/quickstart/backend/java-spring-security5) - [Official Repo](https://github.com/auth0/auth0-auth-java) - [Examples](https://github.com/auth0/auth0-auth-java/blob/main/auth0-springboot-api/EXAMPLES.md) https://auth0.com/changelog#2x4w10jjTmGC1AQuf5fJkZ Fri, 13 Mar 2026 00:00:00 GMT We’re excited to announce that __Google Workspace Directory Sync for Groups__ is now available in Early Access (EA)! This enhancement enables the automatic and reliable sync of group structures and memberships from Google Workspace directly into Auth0 Enterprise Groups. __Key Highlights:__ - __Automated group synchronization:__ Continuously mirror your Google Workspace groups into Auth0 to ensure your roles and access permissions remain accurate and up to date without manual intervention or relying on login events. - __Streamlined "Sync All" functionality:__ Enable groups synchronization for your entire Google Workspace Enterprise Connection through either the Management Dashboard or Management API in one step. - __View groups in Auth0:__ Groups provisioned using Google Workspace Directory Sync for Groups can be viewed in the Management Dashboard under Enterprise Groups, or retrieved through the Management API. - __Sync groups from Auth0 to external systems:__ Users and groups provisioned inbound to Auth0 can be synchronized outbound to external systems using Auth0’s Event streams feature. - __Use groups in the Post-Login Action:__ Use group information pushed from Enterprise identity providers in your Auth0 post-login actions to make access control and authorization decisions in Auth0. To join the EA program, please complete the EA Terms & Conditions [form](https://forms.gle/AtySc6Y9fxs15yXj9) and contact your Auth0 Account Team to request activation and supporting documentation. https://auth0.com/changelog#6WhEr0c0yB3K5oh7jiPADP Wed, 11 Mar 2026 00:00:00 GMT Support for sender constraining tokens using Demonstrating Proof of Possession (DPoP) is now generally available on Enterprise plans. Demonstrating Proof of Possession (DPoP) as defined in RFC9449, is an application level mechanism for binding tokens issued by Auth0 to the client application that requested that token. This is implemented using asymmetric key cryptography and with keys that are generated and managed by the client application - no public key infrastructure (PKI) is required. Sender constraining tokens in this way using DPoP helps to: - enhance security by mitigating against token theft and misuse by unauthorised parties - improve user experience by being able to use longer-lived access tokens without significantly increasing security risk i.e. not requiring frequent user authentication Additional features since the EA release includes replay protection against client applications sending repeated DPoP proofs, and the ability to require DPoP for public clients only, or all clients. A number of Auth0 SDKs have shipped with support for DPoP: - Authentication SDKs supporting DPoP for client applications: auth0-spa-js, auth0-react, auth0-angular, nextjs-auth0, auth0-flutter, Auth0.Swift and Auth0.Android - Authentication SDKs supporting DPoP for APIs/Resource Servers:express-oauth2-jwt-bearer, auth0-api-js, auth0-api-python, aspnetcore-api - Management SDKs supporting DPoP configuration: terraform-provider, go-auth0,deploy-cli, node-auth0, auth0.net For more details, see the [product documentation](https://auth0.com/docs/secure/sender-constraining/demonstrating-proof-of-possession-dpop). https://auth0.com/changelog#1RJ7fX7AJuT01XZ9o4ZeH6 Tue, 10 Mar 2026 00:00:00 GMT Boost Passkey adoption by enabling shared enrollment across subdomains. You can now customize the RP ID to allow a single Passkey to authenticate users across multiple applications under the same root domain.Currently in EA Learn more about customizing RP ID for Passkeys: [Configure Passkey Policy ](https://auth0.com/docs/authenticate/database-connections/passkeys/configure-passkey-policy) Native Passkeys for Mobile Applications - Auth0 Docs - [Native Passkeys for Mobile Applications ](https://auth0.com/docs/authenticate/database-connections/passkeys/native-passkeys-for-mobile-applications) Passkeys - Auth0 Docs - [Passkeys Docs](https://auth0.com/docs/authenticate/database-connections/passkeys) https://auth0.com/changelog#a8ASoFgEcUK0MefoGhIYi Fri, 06 Mar 2026 00:00:00 GMT You can now stream real-time metrics for Auth0 Management API usage and rate limit events directly to your observability platform. These new metric streams give you detailed telemetry on every API request, including success/failure status, specific failure reasons like rate limits, and diagnostic data such as Client ID and request path. This allows you to proactively monitor for rate limit issues, troubleshoot API errors faster, and correlate Auth0 performance with your own application's health, all from within your existing monitoring tools. We've included out-of-the-box support for Datadog, and you can connect to New Relic, Prometheus, and Splunk using OpenTelemetry. This feature is now available in Beta. To get started, check out our Metric Streams documentation. https://auth0.com/changelog#24nAKx5yhwaJc9tCnjVABy Wed, 04 Mar 2026 00:00:00 GMT We’re excited to announce that we added new options for __Forms HTTP Vault Connections__! This new set of options allows you to configure different authorization methods for your HTTP Request Flow Actions.  What's new: - __Client Credentials Support:__ Configure [OAuth Client Credentials](https://auth0.com/docs/customize/forms/vaults/http#configure-your-http-vault-connection-for-oauth-client-credentials) and keep the access token fresh for your HTTP Request Flow Actions authorization. - __API Key Support:__ Authorize your HTTP Request Flow Actions using an [API Key](https://auth0.com/docs/customize/forms/vaults/http#configure-your-http-vault-connection-for-api-key), defining the header or query param key and secret value. - __Basic Auth Support:__ Configure and reuse [Basic Auth](https://auth0.com/docs/customize/forms/vaults/http#configure-your-http-vault-connection-for-basic-authentication) authorization for your HTTP Request Flow Actions, helping you replace the legacy built-in option. https://auth0.com/changelog#8WjIOWCE7KMD1HF8qRBjj Tue, 03 Mar 2026 00:00:00 GMT To improve the end-user experience and mitigate message spam, Brute Force Protection now proactively prevents the sending of passwordless email and SMS codes to users who are already blocked. This update ensures that restricted users cannot continue to trigger unsolicited notifications, closing a gap in our abuse prevention coverage and reducing unnecessary messages For more information on _Brute Force Protection_, check out our [online documentation](https://auth0.com/docs/secure/attack-protection/brute-force-protection). https://auth0.com/changelog#6NsBsJujkexciOsVQkTSO9 Tue, 03 Mar 2026 00:00:00 GMT We are excited to announce that __Actions Transaction Metadata__ is now GA. This feature allows you to set, share, and access, custom data between Actions run in the same `post-login` execution. Functionality includes: - __Accessing Transaction Metadata:__ A new `event.transaction.metadata` object within `post-login` Actions that contains the custom `key/value` pairs, which can be accessed through `key`. - __Setting Transaction Metadata:__ A new `api.transaction.setMetadata` function within `post-login` Actions that serves as interface to set the custom `key/value` pairs. - __Immediate Access:__ Values are available immediately after being set in the calling Action and subsequent Actions. - __Values Types:__ Values can be `boolean`, `number`, `string`, or `string` serialization of `object` and `array`. - __Docs:__ [Actions Transaction Metadata](https://auth0.com/docs/customize/actions/transaction-metadata "Actions Transaction Metadata Docs") https://auth0.com/changelog#1yZLr3z0RceWn8mQ1bLvUL Thu, 26 Feb 2026 00:00:00 GMT We are excited to announce that __Actions Modules__ is now available in [__Early Access__](https://auth0.com/docs/troubleshoot/product-lifecycle/product-release-stages#early-access "Early Access"). This feature allows you to create, manage, and share reusable code across different Actions within your Auth0 Tenant. __Early Access__ functionality includes: - __Simplified Code Management:__ Reduce code duplication and improve organization by writing common logic once and importing it into any Action where it is needed. This makes your Actions easier to maintain and update. - __Improved Performance:__ Move expensive initialization work into a module that can be reused across multiple Actions. This avoids re-running the same setup code in every execution. - __Cross-trigger Access:__ Actions Modules become available for every Action Trigger type. - __Independent Secrets and Dependencies:__ Actions Modules have independent secrets and dependencies from Actions. - __Docs:__ [Actions Modules](https://auth0.com/docs/customize/actions/modules/actions-modules-overview) https://auth0.com/changelog#5KqKUjbLeP1GnlbP5FOeYp Wed, 25 Feb 2026 00:00:00 GMT ### Description Native to Web SSO enables seamless single sign-on from native mobile applications to web applications. Users authenticated in a native mobile app can now transition to web content without re-authenticating, providing a frictionless cross-platform experience. ### What's New in GA Building on the Early Access release, GA includes the following enhancements: - **Auth0 Dashboard Support**: Configure Native to Web SSO directly from the Auth0 Dashboard, no longer limited to Management API configuration - **Refresh Token Metadata in Actions**: Access parent refresh token metadata within Session Transfer Actions, enabling richer context for customization and security decisions during the session transfer flow - **Step-up Authentication Support**: Trigger MFA challenges during the Native to Web SSO flow for enhanced security when accessing sensitive web content - **React Native SDK Support**: Native to Web SSO is now available in the Auth0 React Native SDK, supporting both Hooks (`useAuth0`) and class-based approaches - **Organizations Support**: Use Native to Web SSO with Auth0 Organizations to maintain organization context when transferring sessions from native to web - **Web SDK Integration Examples**: New code examples for Auth0 SPA SDK (`@auth0/auth0-spa-js`) and Auth0 React SDK (`@auth0/auth0-react`) for receiving session transfer tokens in web applications - **Enhanced Monitoring & Troubleshooting**: Comprehensive warning log events help developers troubleshoot session transfer validation failures ### Core Features - **Session Transfer Tokens (STT)**: Native apps can request a secure, short-lived token to transfer the authenticated session to web applications - **Seamless Web Session Creation**: Exchange STT for a web session without user interaction - **Cross-Platform SSO**: Maintain authentication state when moving between native and web contexts - **Session Transfer Actions**: Customize the session transfer flow with Auth0 Actions ### How It Works 1. User authenticates in the native mobile app using Auth0 2. Native app requests a Session Transfer Token via the Authentication API 3. When opening web content (WebView or browser), the STT is included in the authorization request 4. Auth0 validates the STT and creates a web session 5. User is automatically authenticated in the web application ### Benefits - **Improved User Experience**: Eliminate re-authentication friction when moving from native to web - **Enhanced Security**: STTs are short-lived, single-use, and bound to the original session - **Easy Integration**: Works with existing Auth0 mobile SDKs (iOS, Android, React Native) ### Getting Started - [Native to Web SSO Overview](https://auth0.com/docs/authenticate/single-sign-on/native-to-web) - [Configure and Implement Native to Web SSO](https://auth0.com/docs/authenticate/single-sign-on/native-to-web/configure-implement-native-to-web) - [Native to Web SSO and Sessions](https://auth0.com/docs/authenticate/single-sign-on/native-to-web/native-to-web-sso-and-sessions) - [Mobile to Web Payment Flows Quickstart](https://auth0.com/docs/authenticate/single-sign-on/native-to-web/configure-mobile-to-web-payment-flows) - [iOS SDK Documentation](https://auth0.com/docs/libraries/auth0-swift) - [Android SDK Documentation](https://auth0.com/docs/libraries/auth0-android) - [React Native SDK Documentation](https://auth0.com/docs/libraries/auth0-react-native) - [Auth0 CLI](https://github.com/auth0/auth0-cli) - [Terraform Provider Documentation](https://registry.terraform.io/providers/auth0/auth0/latest/docs) - [Deploy CLI Documentation](https://auth0.com/docs/deploy-monitor/deploy-cli-tool) ### Availability This feature is now generally available for all Auth0 Enterprise customers. https://auth0.com/changelog#ogAQMfll57UWlfbmvphPA Thu, 19 Feb 2026 00:00:00 GMT We’ve expanded our Self-Service SSO capabilities with two new, highly-requested IdP templates for Okta SAML and Auth0 SAML. This update streamlines the configuration process for your enterprise customers, enabling faster, more reliable SSO integration. __Guided, Step-by-Step Configuration__ Previously, setting up connections for providers like Okta SAML required using a generic template. Now, your customers will get a purpose-built, guided experience. Our new templates provide detailed, step-by-step instructions with screenshots specific to each IdP, reducing complexity and eliminating guesswork for your customers' IT teams. __Key Enhancements:__ - New Templates: A dedicated guide for customers who use Okta or Auth0 as their identity provider, making one of the most common connection types easier than ever. - Reduced Support Load: By making the process more intuitive for your customers, we help reduce your team's support burden and speed up your enterprise onboarding flow. Learn more about Self-Service SSO in the [product documentation](https://auth0.com/docs/authenticate/enterprise-connections/self-service-SSO "product documentation"). https://auth0.com/changelog#5LrDcc5jpGzMlmWsfsvdCQ Tue, 17 Feb 2026 00:00:00 GMT We’re excited to announce that we added __Flows Auth0 Send SMS and Auth0 Make Call Actions__! This new feature allows you to send phone messages from Flows using the customized Phone Provider at your Auth0 Tenant.  What's new: - __Phone Providers:__ take advantage of the [supported phone providers](https://auth0.com/docs/customize/phone-messages/configure-phone-messaging-providers) that can be configured at your Auth0 Tenant. - __Custom Phone Provider:__ write custom code to send your phone messages to unsupported phone providers using the [Custom Phone Provider Action](https://auth0.com/docs/customize/phone-messages/configure-phone-messaging-providers/configure-a-custom-phone-provider). - __Custom Properties:__ customize [Send SMS Action](https://auth0.com/docs/customize/forms/flows/integrations/auth0#send-sms) and [Make Call Action](https://auth0.com/docs/customize/forms/flows/integrations/auth0#make-call) for the outgoing phone messages including from, to, message, and variables. - __Liquid Syntax:__ use [Liquid syntax](https://auth0.com/docs/customize/email/email-templates/use-liquid-syntax-in-email-templates) at your phone message. https://auth0.com/changelog#7bcwAONmeID47j86VfN5rd Tue, 10 Feb 2026 00:00:00 GMT ## What's New Session Metadata allows you to attach custom key–value data to a user's session using Actions or the Auth0 Management API. This enables you to persist contextual data throughout the session lifecycle, powering richer integrations, stronger audit trails, and personalized session behavior. ### Key capabilities: - **Set and retrieve metadata in Actions** using `api.session.setMetadata(key, value)` and `event.session.metadata` - **Manage metadata via Management API** with `GET` and `PATCH` on `/api/v2/sessions/{id}` - **Delete individual keys** using `api.session.deleteMetadata(key)` or evict all metadata with `api.session.evictMetadata()` - **Include session metadata in OIDC Back-Channel Logout tokens** for downstream systems to receive context during logout events ### Example usage in Actions: exports.onExecutePostLogin = async (event, api) => { api.session.setMetadata("deviceName", event.request.user_agent); api.session.setMetadata("loginRegion", event.request.geoip?.countryCode); api.session.setMetadata("orgContext", event.organization?.id); }; ### Limits: - Maximum of **25 key-value pairs** per session - Each key and value must be a **string** with max **255 characters** - Metadata is stored as a flat JSON object (no nesting) --- ## Use Cases - **Self-service device management**: Store device names or login locations for user-facing session management UIs - **Keep Me Signed In**: Persist user preferences to customize session behavior - **Organization context**: Store organization information for multi-tenant applications - **Audit and compliance**: Include session context in logout tokens for downstream audit systems --- ## Availability Session Metadata is now **Generally Available** for all Enterprise tenants. No API or behavior changes from Early Access. --- ## Learn more - [Session Metadata Documentation](https://auth0.com/docs/manage-users/sessions/session-metadata) - [Configure Session Metadata](https://auth0.com/docs/manage-users/sessions/session-metadata/configure-session-metadata) - [Use Case: Organization Information in Session Metadata](https://auth0.com/docs/manage-users/sessions/session-metadata/add-organization-information) https://auth0.com/changelog#4XCPHK0lxXRWfPqughjGqS Fri, 06 Feb 2026 00:00:00 GMT We're introducing Auth0 Agent Skills Beta- structured guidance that teaches AI coding assistants how to implement Auth0 authentication correctly across any framework. Agent Skills are AI-native instructions that work with popular coding assistants like Claude Code, Codex, Gemini CLI, etc... They provide production-ready code patterns, security best practices, and step-by-step implementation flows directly within your development workflow. __Key Features__ - Framework Coverage: Support for React, Next.js, Vue, Angular, Express, Nuxt, React Native, and more - Security First: Built-in best practices for MFA, protected routes, and secure token handling - Migration Support: Guided migration from Firebase Auth, AWS Cognito, Supabase, and other providers - Easy Installation: Install via CLI (npx skills add auth0/agent-skills) or directly in Claude Code plugins - Production Ready: Generate complete authentication implementations in minutes __Getting Started__ - Install Auth0 Agent Skills: `npx skills add auth0/agent-skills` - Then ask your AI assistant: "Add auth0 to my app" and you're ready to go. __Learn More__ - [auth0/agent-skills repo](https://github.com/auth0/agent-skills) - [Documentation](https://auth0.com/docs/quickstart/agent-skills) https://auth0.com/changelog#34nfrABQdaCKQ7ZFzslAqP Fri, 06 Feb 2026 00:00:00 GMT We're excited to announce that **Refresh Token Metadata** is now available in **Early Access** for Enterprise customers. Refresh Token Metadata allows you to attach custom key-value pairs to refresh tokens, enabling richer context storage and more personalized authentication experiences. ### What's New **Store Custom Data on Refresh Tokens** You can now attach up to 25 custom key-value pairs to each refresh token. This metadata persists throughout the token's lifecycle and can be accessed or modified via the Management API. ```javascript // In Post-Login Action exports.onExecutePostLogin = async (event, api) => { api.refreshToken.setMetadata('deviceName', event.request.user_agent); api.refreshToken.setMetadata('loginRegion', event.request.geoip?.countryCode); api.refreshToken.setMetadata('orgContext', event.organization?.id); }; ``` **Management API Support** Access and manage refresh token metadata programmatically: - `GET /api/v2/refresh-tokens/{id}` - Retrieve token with metadata - `PATCH /api/v2/refresh-tokens/{id}` - Update token metadata - `DELETE /api/v2/refresh-tokens/{id}` - Revoke token Learn more about Refresh Token Metadata in our [documentation](https://auth0.com/docs/secure/tokens/refresh-tokens/refresh-token-metadata) https://auth0.com/changelog#66wOIhfWKdTVk1y1eFjwH4 Fri, 06 Feb 2026 00:00:00 GMT To strengthen defenses across the identity surface, we have added millions of breached phone credentials to our detection capabilities within __Credential Guard__ This enhancement allows organizations using Phone as an Identifier to proactively identify compromised credentials and trigger automated security responses, such as login blocks or password resets. This expansion ensures that phone-based authentication is as secure as traditional email-based methods without impacting system performance. For more information on __Credential Guard__, check out our [online documentation](https://auth0.com/docs/secure/attack-protection/breached-password-detection#detect-breaches-faster-with-credential-guard). https://auth0.com/changelog#3EewWZ94uLQBroGrdOSAAQ Mon, 02 Feb 2026 00:00:00 GMT To provide a more robust defense against sophisticated automated threats, Auth0 has integrated JA4 signals into the core of our Bot Detection machine learning engine. The addition of JA4 signals allows our models to surface and mitigate sophisticated automated threats that traditional signals often miss. This enhanced security feature is available now to all Enterprise customers with the Attack Protection add-on. The rollout is currently underway and will be completed in the coming weeks, aligned with individual customer release schedules. To learn more about Auth0's Bot Detection Product, click [here](https://auth0.com/docs/secure/attack-protection/bot-detection) https://auth0.com/changelog#40upcFBPuFxKG7nacgSlQc Mon, 02 Feb 2026 00:00:00 GMT We’re excited to roll out a highly requested update to the mobile login experience! We know that every tap matters when it comes to user conversion, so we’ve eliminated a common friction point in the authentication journey.  Previously, users might have been met with a standard alphabetical keyboard when prompted for a code. Now, for all SMS and Email OTP challenges, mobile devices will automatically surface the numeric keyboard. This change spans 16+ touchpoints—including MFA enrollment, Passwordless login, and password resets—ensuring your authentication flow feels native, intuitive, and fast. ### What do you need to do? Nothing at all. This optimization is automatically enabled for all customers using the Universal Login experience. Your users are already enjoying a smoother, "fat-finger" proof login today! ### Experience it yourself Trigger an MFA challenge or Passwordless login from your mobile device to see the new flow in action. * Visit your [Dashboard](https://manage.auth0.com) https://auth0.com/changelog#29R56ta9PFA5dZI59IiWOr Fri, 30 Jan 2026 00:00:00 GMT We are excited to announce the **FGA Logging UI**! This introduces a web interface to the existing logging API, giving you the ability to view FGA logs directly in the FGA Dashboard. Users can now filter, sort and inspect access logs directly from the FGA Dashboard, significantly reducing the time required for debugging and troubleshooting issues. The Logging UI provides an easy-to-use visual interface with capabilities to sort and filter log entries. - **Visual Interface:** Users can now immediately view a list of log entries for operations like Check() and Write() in the main viewing area of the UI. Drilling down into a single log entry will open a side panel for a full detailed view of the log data in JSON format, with a convenient copy-and-paste button to quickly copy and paste log data into another application for viewing or saving. - **Date/time ranges:** Viewing log data can be daunting due to sheer volume. The UI has a convenient date picker to set the time-bound log retrieval window. - **Filtering:** We’ve introduced a simple search box for filtering. Its simplicity does not take away from its power as the search accepts Lucene syntax (a subset) for advanced querying of logs. Now, retrieving all write operations is as easy as typing request.operation:"Write" into the search box. - **Sorting:** The UI supports standard sorting of fields for ascending and descending ordering of data, used in situations, for example, when quickly needing to toggle between seeing “newest first” or “oldest first” log data. For more details, refer to Auth0 FGA’s [logging](https://docs.fga.dev/fga-logging) documentation. https://auth0.com/changelog#6Kmd70H7bziDh3wpJ1ofSG Fri, 30 Jan 2026 00:00:00 GMT We are pleased to announce that __API Access Policies for Applications__ is now Generally Available (GA) for all Auth0 customers. This feature allows you to specifically control which applications can request access tokens for your APIs, covering __both user and machine-to-machine access__. Previously available only via the Management API, these __policies can now be fully configured directly within the Auth0 Dashboard__. The new UI allows you to easily visualize and manage permissions per API, ensuring that only authorized applications can access sensitive resources. __Key Benefits__: - __Granular Control__: Define distinct access policies for user access vs. machine-to-machine access. - __Enhanced Security__: Use the `require_client_grant` policy to ensure only explicitly authorized applications can obtain tokens for the subset of allowed permissions. - __Simplified Management__: Configure these settings visually through the new Dashboard UI. To learn more, navigate to Applications > APIs > Application Access in the dashboard or read our [reference docs](https://auth0.com/docs/get-started/apis/api-access-policies-for-applications).  https://auth0.com/changelog#5KLqJ24PwGJRs8qputOEkL Fri, 30 Jan 2026 00:00:00 GMT We’ve integrated Organization Discovery by Domain into the Self-Service SSO workflow, eliminating manual backend configuration and providing a seamless login experience for your enterprise users. __Zero-Touch Discovery__ Previously, verifying a domain only configured the SSO connection. Now, when a ticket is scoped to a single Organization, verified domains are automatically synced to the Organization record. This enables [Organization Domain Discovery](https://auth0.com/docs/manage-users/organizations/login-flows-for-organizations#organization-domain-discovery-optional "Organization Domain Discovery") instantly, allowing end-users to log in with just their email address. __Key Enhancements:__ - Verify One, Apply Everywhere: Verified domains are added to both the Connection and the Organization simultaneously. - Domain Association: If a domain was previously verified for an Organization, customers can now simply associate it with a new connection, skipping repeat DNS TXT steps. - Deterministic Routing: By gating this to a 1:1 mapping, we ensure users are routed to the correct IdP every time. Learn more about Self-Service SSO in the [product documentation](https://auth0.com/docs/authenticate/enterprise-connections/self-service-SSO "product documentation"). By using Self-Service SSO Domain Verification for Organization Discovery by Domain, you agree to the applicable Free Trial terms in Okta’s Master Subscription Agreement and Okta’s Privacy Policy during use of the Early Access feature. The Free Trial terms can be found within the Master Subscription Agreement at [https://www.okta.com/agreements](https://www.okta.com/agreements "https://www.okta.com/agreements"). https://auth0.com/changelog#3gORrQiUn2cmxZp3UPwRLN Fri, 30 Jan 2026 00:00:00 GMT We’re excited to announce that Google Workspace User Directory Sync is now generally available! This feature keeps Auth0 user profiles up to date by syncing users from your Google Workspace directory into Auth0 - so user profile updates don’t depend on login events. __Key highlights of this release:__ - __Dashboard configuration__: Enable and manage inbound user directory sync directly from the Auth0 Dashboard on your Google Workspace enterprise connection (including attribute mapping, automated sync, and manual sync). - __Management API support__: Programmatically enable, configure, and run inbound user directory sync using the Management API Connections endpoints. - __Self-Service SSO experience__: Your customers’ IT teams can configure Google Workspace inbound directory sync alongside SSO and SCIM provisioning, and manage user onboarding/offboarding directly. __Learn more:__ - [Sync Google Workspace Users to Auth0 with Directory Sync](https://auth0.com/docs/authenticate/identity-providers/enterprise-identity-providers/google-directory-sync) - [Management API Connection Endpoints](https://auth0.com/docs/api/management/v2/connections/post-directory-provisioning)  https://auth0.com/changelog#495lZtEV5GFvXCEEOTmXpQ Fri, 30 Jan 2026 00:00:00 GMT We are excited to release the __Per-Member Authorization__ feature that introduces __roles__ to the FGA Dashboard! This allows you to grant appropriate levels of access based on users’ needs. We are enhancing the permission model from a single admin to __Groups__ that can be assigned roles. Groups are an organizational container for managing permissions and offer convenience when assigning roles to multiple users at once. - __New Roles__: We are introducing three new granular roles to sit alongside the previous admin role (now renamed __Account Owner__): - __Group Manager__: An account-level role for managing teams without accessing FGA stores directly. - __Store Editor__: A store-level role that can modify models and tuples but cannot manage groups. - __Store Viewer__: A read-only role useful for ops teams or sales engineers who need visibility without the ability to impact systems. - __Groups__: Account Owners or Group Managers can create groups (ex., "IT Group" or "Dev Team") and assign members to them. All members automatically inherit the permissions defined at the group level. - __Scoping__: Crucially, these roles can be scoped to specific stores. For example, this allows a single user, to be an Editor for a "Staging" store but restricted to Viewer for a "Production" store. For more details, refer to Auth0 FGA Dashboard’s [Roles](https://docs.fga.dev/dashboard/roles) documentation. https://auth0.com/changelog#2FC37fwfuoG9VdrUyt74jt Fri, 30 Jan 2026 00:00:00 GMT We’re pleased to announce that support for Groups within Auth0’s [Inbound SCIM for Enterprise Connections](https://auth0.com/docs/authenticate/protocols/scim/configure-inbound-scim) feature is now in limited early access! This release is useful for developers that support users and groups natively in their applications, and need to support integrations with Enterprise identity providers that use SCIM 2.0 to remotely manage these users and groups. __New group capabilities added:__ - __SCIM groups endpoint per connection__ - Each Enterprise connection gets dedicated SCIM */users* and */groups* endpoints and dedicated credentials that enable provisioning, de-provisioning, and management of the users and groups specific to that connection. - __Sync groups from Auth0 to external systems__ - Users and groups provisioned inbound to Auth0 can be synchronized outbound to external systems using Auth0’s [Event streams](https://auth0.com/docs/customize/events) feature. - __Use groups in the Post-Login Action__ - Use group information pushed from Enterprise identity providers in your Auth0 [post-login actions](https://auth0.com/docs/customize/actions/explore-triggers/signup-and-login-triggers/login-trigger) to make access control and authorization decisions in Auth0. - __View groups in the Auth0 Dashboard__ - All groups provisioned using SCIM can be viewed in the Auth0 Dashboard under a new Enterprise Groups tab, as well as per user under the Users section. __How to get access__ To join the Limited EA program and access SCIM Groups for Enterprise connections, complete the [EA Terms & Conditions form](https://docs.google.com/forms/d/e/1FAIpQLSeGhlEuXSm4hqrP9DZgeEWtntUHCSzqCpKC_yiK2ISIUubsGg/viewform) and contact your Auth0 Account Team to request activation and supporting documentation. https://auth0.com/changelog#6osxJFJUB5gsCePUpSanRQ Wed, 28 Jan 2026 00:00:00 GMT We’re excited to introduce __Universal Custom Password Hash__ in Limited Early Access (EA), enabling user migrations into Auth0 without disrupting sign-ins - even when your existing system uses custom or legacy password formats. With __Universal Custom Password Hash__ you can bring existing users over through [Bulk Import](https://auth0.com/docs/manage-users/user-migration/bulk-user-imports) and use [Auth0 Actions](https://auth0.com/docs/customize/actions) to script custom password validation logic for your environment so users can continue signing in with their current credentials. __Key Capabilities:__ - __Support for custom password formats during migration__: Migrate users from legacy and proprietary systems while maintaining the existing sign-in experience. - __Custom validation logic with Auth0 Actions__: Write and deploy password validation logic that matches your current security architecture using Actions. - __Seamless end-user experience__: Users continue to sign in as usual - less password resets and less support tickets means reduced rollout friction. - __Built for enterprise migrations__: Designed for complex environments where password handling varies across regionals, applications, or historical platforms. __Why It Matters:__ - Accelerate migrations by reducing friction and avoiding user disruption. - Lower helpdesk load by minimizing password reset spikes during cutover. - Increase confidence in large-scale rollouts with flexible support for legacy password formats. __How to Join EA:__ Universal Custom Password Hash is available through Limited Early Access enrollment. To request access and supporting documentation, contact your Auth0 Account Team and complete the Limited EA Terms & Conditions process. https://auth0.com/changelog#3WMgdBcHEtaUv3ITFGRvX1 Wed, 21 Jan 2026 00:00:00 GMT The `enabled_clients` field, within the connection object, is deprecated in the following scenarios: * [Retrieving multiple connections](https://auth0.com/docs/api/management/v2/connections/get-connections) using (GET - `/api/v2/connections`). * [Retrieving a connection](https://auth0.com/docs/api/management/v2/connections/get-connections-by-id) using (GET - `/api/v2/connections/{id}`). * [Updating a connection](https://auth0.com/docs/api/management/v2/connections/patch-connections-by-id) using (PATCH - `/api/v2/connections/{id}`). As an alternative to the deprecated functionality, two new Management API endpoints are available: * [Get enabled clients for a connection](https://auth0.com/docs/api/management/v2/connections/get-connection-clients). * [Update enabled clients for a connection](https://auth0.com/docs/api/management/v2/connections/patch-clients). We have provided additional information and timelines for enforcing this change across tenants through a dashboard and support center [notification](https://support.auth0.com/notifications/696687215149fab1c3f27f81). It is important to note that when creating a new connection via the (POST - `/api/v2/connections`) endpoint, the `enabled_clients` field remains supported. https://auth0.com/changelog#6JOR803jeYagZmFxNkpcPs Mon, 19 Jan 2026 00:00:00 GMT As part of our Continuous Session Protection, you can now configure ephemeral (non-persistent) sessions using Actions. This allows enterprise customers to dynamically control whether a session is stored in a persistent cookie or only in memory. Ephemeral sessions: * Exist only in memory and are cleared when the browser or app is closed. * Are ideal for high-sensitivity workflows such as step-up authentication or use on public devices. * Can be configured per session using `api.session.setCookieMode("non-persistent")` in post-login Actions. This feature, previously in Early Access, is now in **General Availability** and available to all Enterprise tenants. **Learn more:** * [Set Session Persistence with Actions](https://auth0.com/docs/manage-users/sessions/manage-sessions-actions#set-session-cookie-persistence-with-actions) * [Session Lifecycle](https://auth0.com/docs/manage-users/sessions/session-lifecycle) * [Use Ephemeral Sessions with Actions to configure Keep Me Signed In](https://auth0.com/docs/manage-users/sessions/configure-keep-me-signed-in-sessions) https://auth0.com/changelog#WzmksMvHw7MYfW42pVsBb Mon, 22 Dec 2025 00:00:00 GMT We are pleased to announce the expanded availability of __Auth0 Private Cloud on Microsoft Azure__, now supporting the __30x and 30x Burst__ performance tiers. This update enables enterprise organizations to leverage high-scale, dedicated identity infrastructure while maintaining their commitment to the Azure ecosystem. __Performance at Scale__ - __30x__ - Sustained Capacity: 3,000 RPS - Peak Burst Capacity: 3,000 RPS - Best for: Consistent, high-volume baseline traffic - __30x Burst__ - Sustained Capacity: 1,500 RPS - Peak Burst Capacity: 3,000 RPS - Best for: Variable traffic with high-intensity spikes __Why This Matters__ - __Compliance & Residency__: Deploy to the Azure region of your choice to satisfy localized data residency and compliance needs at scale. - __Financial Strategy__: Burn down your existing Microsoft Azure Consumption Commitments (MACC) by investing in the market-leading identity platform. - __Operational Excellence__: Benefit from a fully managed, dedicated instance that provides you infrastructure isolation and flexibility as you grow. __Get Started__ These tiers are available immediately for new and existing customers. Please visit [Auth0 documentation](https://auth0.com/docs/deploy-monitor/deploy-private-cloud/private-cloud-on-azure#private-cloud-on-azure) for more info. https://auth0.com/changelog#1hynzVRKqrPmoeALKcx5US Thu, 18 Dec 2025 00:00:00 GMT We’re excited to announce the __Open Early Access (EA) of Custom Token Exchange__. OAuth 2.0 Token Exchange allows to trade one security token for another (typically an Access Token). With Custom Token Exchange, you can __run Auth0 Actions as part of that exchange__, giving you a flexible way to inject custom logic and implement your own authentication and authorization semantics. This lets you validate and authorize the request, and precisely set the user for every token exchange transaction. Key highlights of this release: - Automatic Entitlement: The feature is now __automatically available to all Enterprise and B2B Pro customers__ to be used for testing and __production__ (no manual enablement required). - __Organizations Support__: Full compatibility with Organizations. You can now pass the `organization` parameter in the request or use the new `setOrganization` function within your Action. - Enhanced Security: Includes __Multi-Factor Authentication (MFA) support__ during the exchange.  To learn more, read the [reference documentation](https://auth0.com/docs/authenticate/custom-token-exchange). https://auth0.com/changelog#4lhB2wvkmckLOncrc71BJr Thu, 18 Dec 2025 00:00:00 GMT We're excited to announce a significant update to the Security Center, marking the first major enhancement since last year's introduction of Thresholds and Alerts! These new capabilities drastically improve your ability to monitor, analyze, and respond to security threats with greater precision and speed. __What's New__: - __Granular Filtering by Applications and Connections__: You can now filter security metrics within the Overview and Threat Monitoring pages by specific applications and connections. This allows for a more detailed examination of your tenant traffic, enabling faster incident triage and more effective troubleshooting by visualizing subsets of data. - __Deeper Insights into Top Threat Behaviors__: We've introduced new charts to highlight the top 5 connections and IPs associated with various security metrics. These groupings provide quick insights into potential anomalies and common threat behaviors, empowering you to identify and address risks more efficiently. - __Consolidated Threat Monitoring View__: The Threat Monitoring page has been revamped to offer a more intuitive and unified experience. This updated view, combined with the new filtering options by application and connection, streamlines your ability to track and respond to threats effectively. These enhancements are available on all public cloud envirovments and gradually rolling out to private cloud environments. Explore the updated [Security Center](https://auth0.com/docs/secure/security-center) today to take control of your security insights and strengthen your security posture! https://auth0.com/changelog#Qu4slJXGZVsPh339UCCEE Wed, 17 Dec 2025 00:00:00 GMT The MyAccount API Explorer now has an updated experience! Using MyAccount API, customers can build self-service management experiences at scale, powered directly from their applications. To learn more about the MyAccount API feature, [click here](https://auth0.com/docs/manage-users/my-account-api). The improved MyAccount API Explorer experience includes: - modernization of the look & feel - interactivity between the response schema and response example - full endpoint URL readily available to copy - ability to quickly navigate to other API Explorers Navigate to: https://auth0.com/docs/api/myaccount to try it out! https://auth0.com/changelog#6M0qaJ4knbbaUK9QdVLH7N Wed, 17 Dec 2025 00:00:00 GMT We’re excited to announce that we added __Flows Auth0 Send Email Action__! This new feature allows you to send emails from Flows using the customized Email Provider at your Auth0 Tenant.  What's new: - __Email Providers:__ take advantage of the [supported email providers](https://auth0.com/docs/customize/email/smtp-email-providers) that can be configured at your Auth0 Tenant. - __Custom Email Provider:__ write custom code to send your emails to unsupported email providers using the [Custom Email Provider Action](https://auth0.com/docs/customize/email/configure-a-custom-email-provider). - __Custom Properties:__ customize the [settings](https://auth0.com/docs/customize/forms/flows/integrations/auth0#input-settings-5) for the outgoing emails including sender, recipient, subject, message, and variables. - __Liquid Syntax:__ use [Liquid syntax](https://auth0.com/docs/customize/email/email-templates/use-liquid-syntax-in-email-templates) at your email subject and message. https://auth0.com/changelog#5efx3H1Sj4jmt2Ecjbrua9 Mon, 15 Dec 2025 00:00:00 GMT To ensure the highest security standards for your identity infrastructure, we are retiring specific weak TLS 1.2 cipher suites. This change affects all connections to Auth0 service endpoints and web applications, specifically: - __Tenant Domains__: All default (e.g., [tenant].auth0.com) and Custom Domains for both Public and Private Cloud. - __Auth0 Tools__: The Dashboard (manage.auth0.com), Marketplace, and Support Center. - __Infrastructure__: The Auth0 CDN. __Cipher Suites Scheduled for Removal__: The following ciphers are being deprecated. For cross-reference, we have provided the unique Hex Code, IANA name, and a link to the OpenSSL equivalent. * `0xC0,0x09` - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (https://ciphersuite.info/cs/TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA/) * `0xC0,0x0A` - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (https://ciphersuite.info/cs/TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA/) * `0xC0,0x23` - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (https://ciphersuite.info/cs/TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256/) * `0xC0,0x24` - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (https://ciphersuite.info/cs/TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384/) * `0xC0,0x13` - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA https://ciphersuite.info/cs/TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA/) * `0xC0,0x14` - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (https://ciphersuite.info/cs/TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA/) * `0xC0,0x27` - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (https://ciphersuite.info/cs/TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256/) * `0xC0,0x28` - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (https://ciphersuite.info/cs/TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384/) * `0x00,0x9C` - TLS_RSA_WITH_AES_128_GCM_SHA256 (https://ciphersuite.info/cs/TLS_RSA_WITH_AES_128_GCM_SHA256/) * `0x00,0x2F` - TLS_RSA_WITH_AES_128_CBC_SHA (https://ciphersuite.info/cs/TLS_RSA_WITH_AES_128_CBC_SHA/) * `0x00,0x9D` - TLS_RSA_WITH_AES_256_GCM_SHA384 (https://ciphersuite.info/cs/TLS_RSA_WITH_AES_256_GCM_SHA384/) * `0x00,0x35` - TLS_RSA_WITH_AES_256_CBC_SHA (https://ciphersuite.info/cs/TLS_RSA_WITH_AES_256_CBC_SHA/) * `0x00,0x3C` - TLS_RSA_WITH_AES_128_CBC_SHA256 (https://ciphersuite.info/cs/TLS_RSA_WITH_AES_128_CBC_SHA256/) * `0x00,0x3D` - TLS_RSA_WITH_AES_256_CBC_SHA256 (https://ciphersuite.info/cs/TLS_RSA_WITH_AES_256_CBC_SHA256/) Additional information is available through the Auth0 dashboard and Support Center [notification](https://support.auth0.com/notifications/6939a866455870ad4537976d). https://auth0.com/changelog#71HvvdfH0QUOTJB9ZzrpLc Fri, 12 Dec 2025 00:00:00 GMT We are excited to announce that __Advanced Customizations for Universal Login (ACUL)__ is now generally available. ACUL enables developers to create custom, client-rendered user interfaces for Universal Login using their preferred frontend technologies. __Key capabilities in this release:__ * __Full Screen Parity:__ Support for customizing all Universal Login screens and flows, including Login, Signup, MFA, Password Reset, and more. * __New SDKs:__ Production-ready __React__ and __TypeScript__ SDKs to accelerate development. * NPM: [@auth0/auth0-acul-js](https://www.npmjs.com/package/@auth0/auth0-acul-js) | [@auth0/auth0-acul-react](https://www.npmjs.com/package/@auth0/auth0-acul-react) * GitHub: [auth0-acul-js](https://github.com/auth0/universal-login/releases/tag/auth0-acul-js-v1.1.0) | [auth0-acul-react](https://github.com/auth0/universal-login/releases/tag/auth0-acul-react-v1.1.0) * __Visual Editor:__ A new Dashboard UI for managing screen configurations and assets. * __Improved Developer Tooling:__ Major updates to Auth0 CLI to support scaffolding (auth0 acul init), local mocking, testing, and CI/CD deployments. * __Production-Ready Sample App:__ A robust sample repository featuring implementations of 34 authentication screens built with React 19 and Tailwind 4. ACUL allows you to leverage all the security benefits of Universal Login, such as bot protection and threat intelligence, while providing complete control over the visual presentation and user journey. [Read the Documentation](https://auth0.com/docs/customize/login-pages/advanced-customizations) https://auth0.com/changelog#5pjJwHzDjb3Dp91OVbSnlS Wed, 10 Dec 2025 00:00:00 GMT We’re excited to announce that Google Workspace User Directory Sync is now available in Limited Early Access (EA) with major enhancements to configuration, usability, and performance. This feature automatically synchronizes users from your Google Workspace directory into Auth0 - ensuring user profiles stay accurate and up to date without relying on login events. __What’s New in EA:__ - __Management Dashboard Support:__ You can now enable and configure Google Workspace Directory Sync directly from the Auth0 Management Dashboard. - __Integrated with Self-Service SSO:__ We’ve expanded the Self-Service SSO Provisioning flow to include Google Workspace Directory Sync alongside SCIM. Your customers’ IT teams can now configure SSO, SCIM provisioning, and Google Workspace Directory Sync through a unified setup flow, and manage user onboarding/offboarding directly, with less manual work for you. - __Performance Improvements:__ Backend optimizations reduce sync latency and ensure stable performance under high load. __Why It Matters:__ - Eliminates reliance on user login events for updating user data in Auth0 - Reduces identity drift and accelerates user lifecycle management - Delegates Directory Sync setup to your customers’ IT administrators. __How to Join EA:__ To join the Limited EA program and access Google Workspace User Directory Sync, complete the [EA Terms & Conditions form](https://forms.gle/evWKYGQeML9b7zSs9) and contact your Auth0 Account Team to request activation and supporting documentation. https://auth0.com/changelog#14aKLOPk3BgCLwFuyG9fsp Wed, 10 Dec 2025 00:00:00 GMT This new Token Vault capability allows Client Applications to obtain access tokens from third-party APIs (resource servers), through an authorization flow that is coordinated by a common Identity Provider implementing the [Identity Assertion Authorisation Grant](https://datatracker.ietf.org/doc/draft-ietf-oauth-identity-assertion-authz-grant/) standard. This new standard enables requesting applications such as AI Agents to obtain access tokens where user consent is managed by policy at the Identity Provider. To evaluate the Requesting App for Cross App Access, please contact Auth0. For more details, see the [product documentation](https://auth0.com/docs/secure/call-apis-on-users-behalf/xaa). https://auth0.com/changelog#7oAdYxc0jsCVdQHqDBQ13R Fri, 05 Dec 2025 00:00:00 GMT We are excited to announce the release of __Auth0.Aspnetcore.Authentication.Api__, a new official SDK designed to streamline authentication and security for ASP.NET Core backend applications. __Key Benefits:__ - __Supports .NET 8.0+__ and built for the modern "middleware" pattern. Developers can now secure an API with a single line: builder.Services.AddAuth0ApiAuthentication(...). - __Abstracts the complexity of JWT validation__. Developers no longer need to write fragile boilerplate code to check Audiences or Issuers. The SDK enforces security best practices out of the box. - __Supports DPoP__ with flexible enforcement modes (Allowed, Required, Disabled). Enterprise customers can now enforce a higher level of security with minimal code changes. __Getting Started:__ - [Quickstart](https://auth0.com/docs/quickstart/backend/aspnet-core-webapi) - [Official Repo](https://github.com/auth0/aspnetcore-api) - [Examples](https://github.com/auth0/aspnetcore-api/blob/master/EXAMPLES.md) https://auth0.com/changelog#T06vwxUfZAHLuFWYhR3AM Thu, 04 Dec 2025 00:00:00 GMT **Adaptive MFA** now allows administrators to configure **device remembrance durations (TTL)** for the **New Device assessor**. The **default remains at 30 days**, but can now be customized to any value between **1–365 days**. When users log in successfully on a remembered device, that device’s TTL automatically refreshes to the currently configured value. This enhancement provides greater flexibility to balance **security and user convenience**, helping teams align device remembrance with organizational policies and login patterns. Configuration is available through both the **Dashboard** and the **new Adaptive MFA Management API endpoints**, enabling automated setup and management of device remembrance. Learn more about configuration options in our [Adaptive MFA documentation](https://auth0.com/docs/secure/multi-factor-authentication/adaptive-mfa/enable-adaptive-mfa#enable-adaptive-mfa). For details on the new Adaptive MFA Management API endpoints, visit the [Risk Assessment API documentation](https://auth0.com/docs/api/management/v2/risk-assessments/get-risk-assessments-settings). https://auth0.com/changelog#13WwjMh6BIBKhKU4GsbFBu Mon, 24 Nov 2025 00:00:00 GMT We’re pleased to announce that Express Configuration with Okta is now generally available for Auth0 applications in the [Okta Integration Network](https://www.okta.com/integrations/)! Express Configuration automates how your enterprise customers using Okta set up identity integrations with your Auth0 application. This includes configuring OpenID Connect (OIDC) for single sign-on, System for Cross-domain Identity Management (SCIM) for automated user onboarding and offboarding, and Global Token Revocation (GTR) for centralized session management with Universal Logout. To learn more about Express Configuration with Okta, click [here](https://auth0.com/docs/authenticate/identity-providers/enterprise-identity-providers/okta/express-configuration). This feature is available immediately in all public cloud environments, and will be rolled out to private cloud environments as per their release pipeline. https://auth0.com/changelog#4mra6BpFrAGNhNAc4jdPHK Thu, 20 Nov 2025 00:00:00 GMT We are thrilled to announce a major milestone: the General Availability (GA) of **Auth0 for AI Agents!** [Auth0 for AI Agents](https://auth0.com/ai) is a suite of features to empower developers to build secure agentic applications and experiences. The solution suite includes updates to: **Token Vault** for secure token based access to third-party APIs and applications; and **Asynchronous Authorization** for user approvals to keep the human in the loop for sensitive agent actions. Here are some highlights of the latest updates to the solution suite: - A new connected accounts flow (with connection purpose) to easily establish federated connections, initiated by client applications. - Support for Microsoft Entra (Azure AD) and Google Workspace as enterprise connected accounts. - Support exchanging a first-party access token for a third-party access token at the Token Vault. - Send notifications for asynchronous authorization flows using email or the Guardian App, with client initiated backchannel authentication (CIBA). - Revamped Quickstarts and SDKs to delight developers. - Pricing and packaging for Essential, Professional, and Enterprise plans. You can read more about the solution suite and the component features in the [Auth0 for AI documentation](https://auth0.com/ai/docs). https://auth0.com/changelog#4Q5cGgm4BEO4yaUyRs6ndj Tue, 18 Nov 2025 00:00:00 GMT Auth0 is thrilled to announce that __Auth for MCP__ is officially in Early Access! This release extends the power of Auth0’s standards-based authorization platform to the Model Context Protocol (MCP), securing your MCP servers, MCP clients, AI agents and the APIs they interact with. With Auth for MCP, Auth0 integrates OAuth 2.1 and OpenID Connect directly into the MCP ecosystem, ensuring consistent access control and auditability across every agentic interaction. Key capabilities include: - MCP Server Authorization: Protect your MCP Servers by leveraging Auth0’s Universal Login to authorize access. You can leverage social, enterprise, and custom identity providers with full support for MFA and advanced attack protection. - Standards-based discovery and registration: Allow MCP clients and servers to automatically discover authorization endpoints and dynamically register with Auth0. This removes manual setup and ensures consistent configuration across your environment. - Leveraging your Existing APIs: Enable MCP clients to securely call internal APIs on behalf of users using short-lived, purpose-scoped tokens. - Connecting to Third party APIs using Token Vault: Securely store, refresh, and revoke access tokens for third-party APIs. This lets your MCP applications act on behalf of users across external SaaS systems like Google, Microsoft, GitHub, and more. - Developer-ready integration: Explore quickstarts, guides, and sample apps to easily implement Auth for MCP. Auth0 provides ready-to-use examples for securing your MCP server, calling APIs on users’ behalf, and using the Token Vault with JavaScript or Python SDKs. - MCP Spec Compliance: Works with Auth0’s Resource Parameter Compatibility Profile and token dialect rfc9068_profile_authz, ensuring that access tokens include the permissions claim required for authorization in MCP. This Early Access release allows developers to unify authorization across MCP clients, servers, and tools, improving governance of agent actions. Auth for MCP is available today in Early Access. To participate, please submit the [Early Access Form](https://docs.google.com/forms/d/e/1FAIpQLSferoMH9K1ZasfOqXVByCwwKoL4qOidCIdOtpHXMzUcUibGOQ/viewform) and/or contact your Auth0 Technical Account Manager. For setup instructions, SDKs, and sample applications, and more, visit the [Auth for MCP documentation](https://auth0.com/ai/docs/mcp/intro/overview). https://auth0.com/changelog#2MLI247jm7qFZrxNSAJJMf Tue, 18 Nov 2025 00:00:00 GMT We’ve refined the logic behind how Security Center metrics are calculated to provide more accurate and actionable insights. Metrics now reflect IP activity using the following logic: When an IP address triggers more than 10 relevant events for a given metric within a single hour, it will now be counted toward that metric. This update ensures greater consistency and reliability across event-based metrics within the Security Center. For more details on which metrics are affected and their updated definitions, see the [Security Center Metrics documentation](https://auth0.com/docs/secure/security-center/metrics) https://auth0.com/changelog#1rIcvUQxpYkR8Le0zW9yo7 Thu, 13 Nov 2025 00:00:00 GMT We are thrilled to announce a significant expansion of capabilities within the Multiple Custom Domains (MCD) Early Access program for Enterprise customers. This update delivers powerful branding and white-labeling capabilities with improved flexibility to scale your identity solution from a single Auth0 tenant. - Search and filter custom domains via Management APIs and Dashboard to simplify administration. - Pixel-perfect branding using ACUL to associate unique asset bundles directly with individual custom domains. - Ensure brand consistency by customizing Email and Phone Templates based on the custom domain context. - Build tailored, conditional logic using the custom domain name and metadata directly within Actions. Please refer to Auth0 docs for details - [Multiple Custom Domains](https://auth0.com/docs/customize/custom-domains/multiple-custom-domains). These updates are available automatically to the current participants in MCD Early Access program. If you're interested in joining the MCD Early Access program, please send a request through the [Auth0 Support Center](https://support.auth0.com/center/s/) and contact your Technical Account Manager (TAM) or Auth0 Sales Executive. https://auth0.com/changelog#KNla4yWuL2eEHiYX60swb Wed, 12 Nov 2025 00:00:00 GMT Auth0 now provides Management API endpoints to manage Bot Detection configuration! __Key Capabilities:__ __Bot Detection Controls:__ Automate adjustments to the Bot Detection Level (low, medium, or high) and manage your trusted IP AllowList via API. __Challenge Policies:__ Programmatically control CAPTCHA enforcement for password, passwordless, and password reset flows (options: always, when risky, or never). __CAPTCHA Management:__ Fully manage your CAPTCHA provider selection and configuration, including Auth0’s native challenge or third-party solutions. To learn more about the new Bot Detection API endpoints check out our online documentation [here](https://auth0.com/docs/api/management/v2/attack-protection/get-bot-detection) https://auth0.com/changelog#4IIvynXfhRzUq01YELrRg4 Wed, 12 Nov 2025 00:00:00 GMT Auth0 has added a __Dynamic Client Registration (DCR)__ scope to the __Tenant Access Control List (ACL)__. This enhancement allows administrators to control access to the /oidc/register endpoint based on a variety of network and client signals, helping prevent unauthorized or automated client creation. Configuration is available via the __Management API__. Learn more about our __Tenant Access Control List__ in our online documentation found [here]("https://auth0.com/docs/secure/tenant-access-control-list") https://auth0.com/changelog#3c5qVcNRPE30dQBH9rqG5C Wed, 12 Nov 2025 00:00:00 GMT We are excited to announce that __Actions Types__ is now available at [__npmjs @auth0/actions__](https://www.npmjs.com/package/@auth0/actions "Actions NPM package"). This NPM library currently facilitates TypeScript definitions for Auth0 Actions. Developers can use this library for: - __IDE / Code Editor Assistance:__ By referencing this library, IDEs and code editors can help developers coding with autocompletion, object and functions definitions, and error checking. - __TypeScript Development:__ This library enables Actions development using TypeScript which then can be built and deployed to Actions as Common JS. - __Unit Testing Improvements:__ This library allows developers to follow best practices and to improve their Unit Testing based on TypeScript definitions. - __AI Actions Generation:__ Gives AI assisted IDEs the context they need to generate more accurate and secure Actions code. **Docs:** Learn more at [Actions NPM Docs](https://auth0.com/docs/customize/actions/actions-npm "Actions Types Docs") and [Actions Unit Test Docs](https://auth0.com/docs/customize/actions/actions-unit-test "Actions Unit Test Docs"). https://auth0.com/changelog#1g7Si9zf4VnEOC3Na7zxGR Fri, 07 Nov 2025 00:00:00 GMT As part of Continuous Session Protection, you can now attach custom key–value data to a user’s session using Actions or the Auth0 Management API. This allows enterprise customers to persist contextual data (such as device name, organization ID, or custom flags) throughout the session lifecycle. **Session Metadata:** Enables storing and retrieving custom metadata directly within Auth0 sessions Can be set in Post-Login Actions using `api.session.setMetadata(key, value)` and accessed through `event.session.metadata` Is available via the Management API for reading, updating, or evicting metadata during the session’s lifetime Can be automatically included in OIDC Back-Channel Logout tokens, enabling downstream systems to receive the same metadata context This feature expands session extensibility, allowing richer integrations, stronger audit trails, and personalized session behavior across applications. **Availability:** Session Metadata is available to Enterprise tenants in Early Access. To enable this feature, reach out to your Technical Account Manager or open a Support Ticket. Learn more: [Session Metadata Documentation](https://auth0.com/docs/manage-users/sessions/session-metadata) https://auth0.com/changelog#4Nd7A8REfdfFDRaJatKrOF Tue, 04 Nov 2025 00:00:00 GMT We’re excited to introduce Google Workspace User Directory Sync, now available as part of our Beta program. This feature allows organizations to automatically synchronize users from their Google Workspace directory into Auth0 - ensuring user data stays accurate and up to date without relying on login events. __What’s New:__ - __Automated user synchronization:__ Automatically sync user profiles from your Google Workspace Enterprise connection into Auth0. - __Flexible sync cadence:__ Choose between manual on-demand syncs or automatic syncs that run every 30 minutes. - __Custom attribute mapping:__ Map Google Workspace user attributes to Auth0 user profile fields for full control over data consistency. - __Management API support:__ Configure, update, retrieve, or delete your Directory Sync settings programmatically - with Postman collection templates included. __Why It Matters:__ This enhancement eliminates the need for users to log in before their profiles are updated in Auth0, reducing data drift and simplifying identity lifecycle management. __How to Get Started:__ To join the Beta program and access Google Workspace User Directory Sync, complete the Beta Terms & Conditions [form](https://forms.gle/aargNxY1cwmsQv4z5) and contact your Auth0 Account Team to request activation and supporting documentation. https://auth0.com/changelog#plEKpbkUrXopryqGwRITI Mon, 03 Nov 2025 00:00:00 GMT Auth0's Private Cloud footprint is expanding again, this time to the AWS Asia Pacific __Thailand Region!__ This launch plants our secure identity infrastructure in the heart of one of Southeast Asia's largest digital economies. Customers in the region can now leverage this new presence for significantly reduced latency and enhanced performance. It also provides a robust, in-country solution for organizations managing their data governance and sovereignty objectives. We are excited to support the rapid growth of Thailand's booming e-commerce, fintech, and digital service sectors with this new deployment. https://auth0.com/changelog#70GXiAO3CNCFXFMoixP4H9 Mon, 03 Nov 2025 00:00:00 GMT Login flows initiated in the context of client applications associated with business users (`organization_usage=require`) and configured to prompt for the organization at the start of the login flow (`organization_require_behavior=pre_login_prompt`) will consider an existing authenticated session and allow single sign-on (SSO). The previous behavior where these flows disregarded SSO is deprecated. We have provided additional information and timelines for enforcing this change across tenants through a dashboard and [support center notification](https://support.auth0.com/notifications/6904f0f1b6ffc7703507bccf). https://auth0.com/changelog#82DJ9Ae7NcArO8KVTfY1F Fri, 31 Oct 2025 00:00:00 GMT We’re excited to announce __Organization Discovery by Domain__, a new capability that makes enterprise login smarter and more seamless. Together with __Prompt for Organizations__, it automatically identifies a user’s Organization before authentication, using either their email or organization name — eliminating the need for guessing, manual routing, or dealing with misspellings. __Smarter Login Experience__: Users can now enter either their organization name or work email on the __Prompt for Organization__ screen. If the Organization has a verified domain, Auth0 detects the Organization instantly, loads the correct branded login, and routes the user to the right IdP. __Verified Domains__: Tenant admins can now associate one or more verified domains with each Organization using the new Domains tab. Verified domains power automatic organization detection and ensure HRD (Home Realm Discovery) runs only against that Organization’s enabled connections. __Unified Enterprise Login Flow__: This update enhances the __Prompt for Organization__ experience for both __Business__ and __Both__ (Business + Individual) *app types*, unifying login flows across personal and enterprise users. __Availability__: Rollout is happening now. No opt-in required, it’s ready as soon as it appears in your tenant. Learn more about [Organization Discovery by Domain](https://auth0.com/docs/manage-users/organizations/create-first-organization#configure-organization-domains "Organization Discovery by Domain") in our product documentation. By using Organization Discovery by Domain, you agree to the applicable Free Trial terms in Okta’s Master Subscription Agreement and [Okta’s Privacy Policy](https://www.okta.com/privacy-policy/?_gl=1*skku8u*_gcl_aw*R0NMLjE3NjA0NTQ3MTkuQ2owS0NRanc2YmZIQmhETkFSSXNBSUdzcUxnSmhnX09rU2tuWmV1WFdPU3pMNTNIZXhDRDUxVlhEaVU2ZnZ2R3NPSlBiZlpGLWJaQ3N4OGFBbk13RUFMd193Y0I.*_gcl_au*MTI4ODcyNDQ5Ni4xNzU2ODQwNjA1*_ga*NDE0MDA3OTE4LjE3MDUwNzM0OTQ.*_ga_QKMSDV5369*czE3NjA3MDA5NzYkbzQ0MyRnMCR0MTc2MDcwMDk3NyRqNTkkbDAkaDA. "Okta’s Privacy Policy") during use of the Early Access feature. The Free Trial terms can be found within the Master Subscription Agreement at [Legal Agreements | Okta](https://www.okta.com/agreements?_gl=1*skku8u*_gcl_aw*R0NMLjE3NjA0NTQ3MTkuQ2owS0NRanc2YmZIQmhETkFSSXNBSUdzcUxnSmhnX09rU2tuWmV1WFdPU3pMNTNIZXhDRDUxVlhEaVU2ZnZ2R3NPSlBiZlpGLWJaQ3N4OGFBbk13RUFMd193Y0I.*_gcl_au*MTI4ODcyNDQ5Ni4xNzU2ODQwNjA1*_ga*NDE0MDA3OTE4LjE3MDUwNzM0OTQ.*_ga_QKMSDV5369*czE3NjA3MDA5NzYkbzQ0MyRnMCR0MTc2MDcwMDk3NyRqNTkkbDAkaDA. "Legal Agreements | Okta"). https://auth0.com/changelog#7jDniG64OodylRHrA3YCVb Fri, 31 Oct 2025 00:00:00 GMT We've enhanced the [Auth0 FGA Write API](https://docs.fga.dev/api/service#/Relationship%20Tuples/Write) endpoint to help streamline imports and reduce errors. You can now use two new optional parameters: `on_duplicate: "ignore"`: This will gracefully skip any write operations for relationship tuples that already exist. `on_missing: "ignore"`: This will gracefully skip any delete operations for relationship tuples that do not exist. Previously, these common conditions would cause the entire Write request to fail. These new parameters prevent unnecessary failures, eliminating the need for complex client-side retry logic and improving import performance. This feature is available now via the API and our latest SDKs. Learn more about [Writing Tuples in FGA](https://docs.fga.dev/integration/update-tuples#05-ignoring-duplicate-or-missing-tuples) from our product documentation or [API Reference](https://docs.fga.dev/api/service#/Relationship%20Tuples/Write). https://auth0.com/changelog#BOjfz3jcAYdqAC2lDfhPi Wed, 29 Oct 2025 00:00:00 GMT Auth0 now supports Sign in with Shop, a new social login integration designed for Shopify merchants. This feature allows merchants to offer customers a familiar authentication option using their existing Shop accounts. This new integration provides: - Streamlined Experience: Customers can sign in using their existing Shop credentials, reducing friction and simplifying account access. - Consistent User Journey: Enables a unified sign-in experience for customers already accustomed to Shopify’s ecosystem. - Expanded Capabilities: Combines the trusted Shopify experience with Auth0’s advanced identity features — including enhanced security, single sign-on (SSO), customizable branding, and extensibility.  Get started today with our [quick start guide to connect your Shopify store](https://auth0.com/blog/how-to-connect-auth0-with-shopify-a-tech-quick-start-guide/) to Auth0 and our built-in [Sign in with Shop social integration](https://marketplace.auth0.com/integrations/shop). https://auth0.com/changelog#2ojmrILLb5p5UkkbJO8prj Tue, 28 Oct 2025 00:00:00 GMT We’ve improved our **machine learning (ML) model for signup** to deliver stronger protection against automated account creation while keeping friction low for legitimate users. > **Note:** This update applies **only to the signup flow**. There are **no changes** to the ML models used for bot detection in login or password reset flows. #### **Highlights of this update include** - **Expanded detection signals:** The model now leverages **user-agent–based signals**, such as operating system and browser version data, to more accurately distinguish between human and automated signup attempts. - **Smarter traffic classification:** An **updated labeling strategy** improves how the model differentiates between malicious and legitimate signup activity, helping it adapt more effectively to evolving attack patterns. - **Optimized sensitivity settings:** Adjusted detection thresholds capture a broader range of bot activity while maintaining a low false positive rate, ensuring a smooth experience for valid users. #### **What this means for you** These enhancements strengthen the signup protection capabilities of **Attack Protection**, enabling more effective detection of automated signup attempts without adding unnecessary friction for real users. The rollout is in progress for all **Enterprise customers with the Attack Protection add-on** and will complete over the coming weeks in line with individual release schedules. For configuration guidance or to learn more about protecting your signup flows, please refer to our [documentation](https://auth0.com/docs/secure/attack-protection/bot-detection) or contact your account team. https://auth0.com/changelog#6lnnjamoMl4gbeypvZ4gsC Tue, 28 Oct 2025 00:00:00 GMT To enhance security and mitigate risks of application impersonation and phishing attacks, we are **recommending the transition to HTTPS-based callbacks using [Android App Links](https://developer.android.com/training/app-links#android-app-links) and [Apple Universal Links](https://developer.apple.com/documentation/xcode/allowing-apps-and-websites-to-link-to-your-content) whenever possible**. In addition, we are introducing a **change in how the service handles custom URI schemes and loopback URI as callbacks**. More specifically, for authentication requests specifying a custom URI scheme or a loopback URI as the callback, we are introducing a **login confirmation prompt** used in scenarios that would previously return a response without requiring user interaction. For example, in a single sign-on (SSO) scenario, if authentication request requirements can be satisfied from an existing authenticated session, the service will display the new login confirmation prompt instead of seamlessly returning a response to the specified custom URI scheme / loopback URI callback. Additionally, authentication requests including `prompt=none` will be rejected when Applications use non-verifiable callback URIs and are configured to use the new login confirmation prompt. **Review the User Confirmation Prompt section of [Measures Against Application Impersonation](https://auth0.com/docs/secure/security-guidance/measures-against-app-impersonation) to learn more about the new prompt**. Tenants created before **October 15, 2025**, maintain the previous behavior as the default until **April 28, 2026**. After the October cutoff date, newly created tenants may default to displaying the new login confirmation prompt with some exceptions due to each environment's deployment schedule. For any tenant maintaining the previous behavior, we recommend you opt in beforehand to use the new behavior. Alternatively, you can opt out of using the additional confirmation prompt if strictly required. Additional **information on this situation is available at [Migrate to Custom URI Scheme Redirect End-User Confirmation](https://auth0.com/docs/troubleshoot/product-lifecycle/deprecations-and-migrations/non-verifiable-callback-uri-end-user-confirmation)**.  https://auth0.com/changelog#3TMMeLK9t0STvL3QpAGitY Mon, 27 Oct 2025 00:00:00 GMT As part of the [Early Access launch of Event Streams](https://auth0.com/changelog#4SmjmcbmVZgt1Zsn7JYF1V), there is now an Events Catalog explorer available in Auth0 Docs to better guide you on the details of each Event -- including examples. The Event Streams feature allows you to discover completed changes to Auth0 Users and Organizations as they happen. You can do this by: - Creating an Event Stream in the Manage Dashboard or the Management API - Configuring the Event Streams with the desired destination (Webhook or Amazon EventBridge) and selecting the events to receive View the new Event Catalog Explorer here: [https://auth0.com/docs/events/](https://auth0.com/docs/events/) Learn more about Event Streams here: [https://auth0.com/docs/customize/events](https://auth0.com/docs/customize/events) https://auth0.com/changelog#7y92FX6iRNAareczm4R5Y3 Fri, 17 Oct 2025 00:00:00 GMT __FGA Logging API Now Generally Available__ The Auth0 FGA Logging API is now Generally Available (GA). This dedicated endpoint provides a comprehensive audit trail for every interaction with the FGA system. You can now programmatically retrieve detailed logs for auditing, debugging, and monitoring. - __Strengthen Audit & Compliance__: Retrieve a complete audit trail for all public FGA APIs, including permission changes, access checks, and model updates, to verify who accessed resources and when. - __Accelerate Troubleshooting & Monitoring__: Gain granular insight into API operations to debug issues faster and proactively monitor for unusual activity. Use powerful Lucene query syntax to filter logs by user, IP address, status code, and more. - __Centralize Your Logs__: Easily export log data to your preferred SIEM, log management, or analytics tools to centralize your security and operational visibility. The FGA Logging API is available for all paid-tier customers. For more information, please read the [Auth0 FGA Logging API documentation](https://docs.fga.dev/fga-logging). https://auth0.com/changelog#7gWr2NaIsSpsQ5DHC8Hlic Thu, 16 Oct 2025 00:00:00 GMT The first public beta of the Auth0 Nuxt SDK is now available for developers building web apps on the __Nuxt__ framework! ### Key Highlights - __Idiomatic Nuxt 3 Experience:__ Simple, composable functions (useAuth0) that feel native to Nuxt developers, dramatically reducing time-to-first-login. - __Advanced Security Out-of-the-Box:__ We've included support for the latest security standards from day one, including PAR, RAR, and Backchannel Logout. - __Powerful API Authentication:__ Seamlessly obtain tokens for backend APIs using the TokenVault integration. ### Resources Here are the helpful resources to explore the new Nuxt SDK and get started: - [Quickstart](https://auth0.mintlify.app/docs/quickstart/webapp/nuxt) - [Examples](https://github.com/auth0/auth0-nuxt/tree/main/examples) This SDK is still in Beta and we need your feedback! Please share any feedback, questions or comments on [GitHub](https://github.com/auth0/auth0-nuxt). https://auth0.com/changelog#7B59wWrQCnGXj1QHpO5qoF Fri, 10 Oct 2025 00:00:00 GMT When validating [JWT assertions used for client application authentication](https://auth0.com/docs/get-started/authentication-and-authorization-flow/authenticate-with-private-key-jwt), **Auth0 will impose stricter requirements and accept only a tenant's issuer identifier as a single JSON string value in the "aud" (audience) claim**. The possibility of providing an "aud" claim with either one of the approaches listed below is deprecated, and at a future date will cause the service to consider such JWT assertions invalid: * A JSON array of strings, provided that one of the entries contains a valid issuer identifier or endpoint URL for the respective tenant and endpoint the client authenticates against. * A single JSON string representing a valid endpoint URL for the respective tenant and endpoint the client authenticates against. OIDC enterprise connections configured to use Private Key JWT in authenticated requests to the upstream identity provider will also be able to use the applicable issuer identifier represented as a JSON string in the "aud" claim included in JWT assertions. We have provided additional information and timelines for enforcing this change across tenants through a dashboard and [support center notification](https://support.auth0.com/notifications/68e3e29a45f175778e64b020). https://auth0.com/changelog#m3EtR1dodzd1wUyGwN5gX Fri, 10 Oct 2025 00:00:00 GMT We are excited to announce an improvement that makes it faster and easier for you to keep your firewall configurations up-to-date. Our __IP allow list for Auth0's Public Cloud regions__ is now available in a standardized, machine-readable format. This new format is designed to help you automate updates and ensure the most accurate configuration for your firewall. What this means for you: - __Automation__: You can now programmatically fetch and parse the list, eliminating the need for manual updates. - __Accuracy__: The structured data ensures you're always using the latest and most accurate IP addresses. - __Clarity__: The changelogs highlight specific additions and removals, so you can easily see what has been updated. You can access this information at: [https://cdn.auth0.com/ip-ranges.json](https://cdn.auth0.com/ip-ranges.json) For more details, please see our documentation on [IP allow list](https://auth0.com/docs/secure/security-guidance/data-security/allowlist). https://auth0.com/changelog#4YG7c1KgGcHBDKN5O198uP Wed, 08 Oct 2025 00:00:00 GMT We’re excited to announce the Early Access release of **Akamai Supplemental Signals**. This feature allows **Auth0 Enterprise customers who have Akamai configured as a reverse proxy** in front of Auth0 to forward signals from [**Akamai Bot Manager**](https://www.akamai.com/products/bot-manager) and [**Akamai Account Protector**](https://www.akamai.com/products/account-protector) into Auth0. With this integration, you can enrich your authentication flows with supplemental signals from Akamai and make more dynamic security decisions in post-login Actions and gain visibility through tenant logs. --- ### Key Benefits - **Combined Risk Context:** Leverage Akamai’s bot and user risk signals together with Auth0’s risk assessment for a more complete view of login risk. - **Adaptive Security Controls:** Combine Akamai and Auth0 risk signals to trigger MFA, deny sessions, or revoke access based on risk indicators. - **Seamless Integration:** Configure Akamai to forward signals and use them immediately in post-login Actions and tenant logs. --- ### Availability - Available to all **Enterprise customers using Akamai as a reverse proxy** in front of Auth0. - Currently in **Early Access**. --- ### Learn More - [Configure Akamai as a Reverse Proxy](https://auth0.com/docs/customize/custom-domains/self-managed-certificates) - [Configure Akamai to Send Supplemental Signals](https://auth0.com/docs/secure/attack-protection/configure-akamai-to-send-supplemental-signals) - [Use Akamai Supplemental Signals in Actions](https://auth0.com/docs/secure/attack-protection/use-akamai-supplemental-signals-actions) https://auth0.com/changelog#2ldfQCyYglA30MXDtNXcn Thu, 02 Oct 2025 00:00:00 GMT We’re thrilled to introduce the __Limited Early Access__ release of __Additional Signing Algorithm for Okta and OIDC enterprise connections__! This release expands flexibility for both __Private Key JWT client authentication__ and __ID token verification__ by adding support for stronger signing algorithms beyond RS256, including: - RS512 - PS256 - ES256 For Private Key JWT, Auth0 now lets you choose which algorithm is used to sign client assertion JWTs when authenticating requests to an upstream IdP. For ID token verification, Auth0 can validate tokens signed with a wider set of algorithms, ensuring compatibility across OIDC flows. Together, these enhancements give customers more control over cryptographic choices, making it easier to align with security policies and adapt as standards evolve This release is currently rolling out to all environments. To enable the Additional Signing Algorithms Limited Early Access release in your Auth0 tenant once available in your environment, please contact your Technical Account Manager to request access. https://auth0.com/changelog#39RZCNYZg2waEwr5fLhd7d Wed, 01 Oct 2025 00:00:00 GMT As part of the Continuous Session Protection, you can now configure ephemeral (non-persistent) sessions using Actions. This allows enterprise customers to dynamically control whether a session is stored in a persistent cookie or only in memory. Ephemeral sessions: - Exist only in memory and are cleared when the browser or app is closed - Are ideal for high-sensitivity workflows such as step-up authentication or use on public devices - Can be configured per session using `api.session.setCookieMode("non-persistent")` in post-login Actions This feature is available to all Enterprise tenants in Public Early Access and requires no enrolment. Learn more: https://auth0.com/docs/manage-users/sessions/sessions-with-actions#set-session-persistence-with-actions and https://auth0.com/docs/manage-users/sessions/session-lifecycle [Use Ephemeral Sessions with Actions to configure Keep Me Sign In](https://auth0.com/docs/manage-users/sessions/configure-keep-me-signed-in-sessions) https://auth0.com/changelog#3R5TLwcoC5ELeNg9vS0QL7 Wed, 01 Oct 2025 00:00:00 GMT You can now use __Organizations with your native passkey flows__! User sign-in and registration flows can now pass the organization to complete sign up in the organization context. Like Universal Login flows, auto-enrollment into an organization during sign-in is also supported. __Organizations Support for Native Passkeys__ is in Limited EA - reach out to your Auth0 contact to get started today. To get started with Passkey APIs and use them with Organizations, please see our [documentation](https://auth0.com/docs/native-passkeys-api) or read our [blog](https://auth0.com/blog/how-to-signup-and-login-with-passkeys-android/ "How to Sign Up and Log In with Passkeys in Android Using Auth0's Native Login") for getting started with native applications. https://auth0.com/changelog#801RizzHxgyfsVczkHGNN Wed, 01 Oct 2025 00:00:00 GMT We are excited to announce the release of the __Auth0 React Native SDK v5__, a foundational rewrite designed to provide a best-in-class developer experience for one of the world's most popular mobile frameworks. This major update delivers a simpler, more powerful way to integrate secure authentication into your React Native applications while ensuring compatibility with the latest evolution of the ecosystem. __Highlights:__ - __Stay on the Cutting Edge of React Native:__ Deploy with confidence knowing your authentication layer is ready for the future. The SDK is fully compatible with React 19 and Expo 53, and now includes Beta support for React Native's New Architecture (Turbo Modules). This allows you to leverage the latest performance and UI capabilities of the ecosystem without compromising on security. - __Accelerate Development with a Better DX:__ We've refactored the entire SDK from the ground up to create a more intuitive and efficient developer experience. With a simpler API surface, unified cross-platform error handling, and an Android layer rewritten in modern Kotlin, you can integrate Auth0 faster and spend less time debugging. - __Build for More Platforms with react-native-web:__ The new, robust architecture enables first-class support for react-native-web. Now you can share more of your authentication logic between your native mobile and web applications, streamlining development and ensuring a consistent user experience everywhere. Get Started Today. The Auth0 React Native SDK v5 is now generally available. As a major version release, v5 includes breaking changes aimed at improving the long-term health and usability of the SDK. To upgrade, please consult our comprehensive [Migration Guide](https://github.com/auth0/react-native-auth0/blob/master/MIGRATION_GUIDE.md) to v5. For a full list of new features, improvements, and breaking changes, view the complete release notes on [GitHub](https://github.com/auth0/react-native-auth0/releases/tag/v5.0.0). https://auth0.com/changelog#5plVH0sRpMqH1cNb4FBGOK Wed, 01 Oct 2025 00:00:00 GMT We’re very excited to announce the availability of __Native Passkey Management__, extending the management of authentication methods using APIs. Customers can now delete passkeys using APIs and list all enrolled authentication methods for a user. Customers can build end-to-end management of the passkeys directly into their native applications. __Native Passkey Management__ is in Limited EA - reach out to your Auth0 contact to get started today. To get started with MyAccount please read our [documentation](https://auth0.com/docs/manage-users/my-account-api "MyAccount API") https://auth0.com/changelog#7lQuIF4vTPKsvn7RFUl3ZZ Tue, 30 Sep 2025 00:00:00 GMT We’re excited to share that we've expanded the Self-Service SSO experience with __User Provisioning (SCIM)__. Now your customers’ IT teams can manage user onboarding and offboarding directly, reducing manual work for you. This feature is currently in __Early Access__. __Smarter Provisioning__: Your customers can now configure __SCIM directly in the Self-Service SSO wizard__, streamlining setup and reducing time-to-value. __Unified User Data__: This release introduces __User Attribute Profiles (UAP)__, a standardized way to map, normalize, and sync user attributes across identity protocols (SAML, OIDC, SCIM) and Auth0’s Self-Service SSO feature. This ensures consistent data handling across integrations and simplifies ongoing maintenance. Furthermore, when using UAP with the Self-Service Profile and Self-Service SSO, those mappings are now used to populate the Enterprise Connection Mapping object in Auth0. __Key Benefits__ - __Automation__: Delegate SCIM setup to your customers’ admins - __Interoperability__: Works seamlessly across varied IdPs - __Consistency__: One schema for easier debugging and support - __Flexibility__: Override mappings per protocol when needed  Rollout is happening now. No opt-in required, it’s ready as soon as it appears in your tenant. Learn more about [Self-Service](https://auth0.com/docs/authenticate/enterprise-connections/self-service-SSO) and [User Attribute Profile](https://auth0.com/docs/authenticate/enterprise-connections/user-attribute-profile) in our product documentation. By using Self-Service User Provisioning, you agree to the applicable Free Trial terms in Okta’s Master Subscription Agreement and [Okta’s Privacy Policy](https://www.okta.com/privacy-policy/) during use of the Early Access feature. The Free Trial terms can be found within the Master Subscription Agreement at [Legal Agreements | Okta](https://www.okta.com/agreements "Legal Agreements | Okta"). https://auth0.com/changelog#3n1TWpvmYiwv2bIX8Gif7t Tue, 30 Sep 2025 00:00:00 GMT We're excited to announce that __Cross App Access (XAA) for Resource Applications is now in Beta__. __Connecting AI Agents and Third Party Apps in an enterprise__ introduces two key challenges: poor IT visibility into data sharing and repetitive user consent flows. Cross App Access (XAA) solves this by __enabling IT teams to centralize control over these connections__, eliminating constant user consent prompts and providing better governance and visibility into data sharing. This new feature provides __built-in support for SaaS providers to get their APIs ready for secure connection by AI Agents and other SaaS Apps in enterprise environments__. No code changes needed, simply configure the feature in your Auth0 tenant to instantly support central policy enforcement and a seamless user experience. This Beta release is for testing purposes only. To learn more, read our [documentation](https://auth0.com/docs/xaa-resource-app).  https://auth0.com/changelog#IoPz85GPXHERLRM0pvTOI Thu, 18 Sep 2025 00:00:00 GMT A new and improved Auth0 Support Center is now live. The new Auth0 Support Center is re-designed to help you find answers faster and adopt features more confidently. Here’s what’s new: - Summarized solutions, fast: A single AI-powered search scans thousands of support resources, and learning content, and delivers a single answer tailored for you. - Unblock faster, stay ahead: The new [Knowledge Base](https://support.auth0.com/center/s/knowledge) provides real-world how-tos and fixes. [The Product Hub](https://support.auth0.com/center/s/product-hub) keeps you up to speed on what’s coming next. - Level up your skills: The [Auth0 Learning Hub](https://support.auth0.com/center/s/learning) offers self-paced, tailored learning paths and plans to help you build skills and feature mastery. Ready to try it out? Head to the [Auth0 Support Center](https://support.auth0.com/center/s/) and explore for yourself. A great place to begin: search for a product or feature you’re working on and see how the new search delivers fast, tailored answers. Want to learn more? Check out the [YouTube video](https://www.youtube.com/watch?v=gNl1gEGYAbk&feature=youtu.be) and [Knowledge Base article](https://support.auth0.com/center/s/article/Announcing-the-Enhanced-Auth0-Support-Center). https://auth0.com/changelog#2kbzAyBitSREV8XEa0RdpC Tue, 16 Sep 2025 00:00:00 GMT We're excited ✨ to announce a significant enhancement to Auth0 Teams that simplifies and accelerates the onboarding process for your team members. This new feature, Pre-tenant Assign in Team Invitations reduces the steps required to get your team members productive faster. __The Challenge We Solved ⁉️__: Previously, inviting a new team member and granting them tenant access was a multi-step process: invite, acceptance, then manual tenant assignment. __What's New 🎉__: You can now combine these steps into a single action. When inviting a new team member, an optional step in the invitation modal allows you to pre-select the tenants and associated roles the invitee should automatically access upon accepting the invitation. __Key Benefits for Your Team ✅__: - One-Step Onboarding: Reduce administrative overhead by combining invitation and tenant access assignment into one efficient workflow. - Immediate Access: Invitees gain immediate access to pre-assigned tenants upon accepting the invitation, eliminating waiting periods. - Improved Audibility: Team Activity logs now record "Invitation accepted" events for better visibility along with tenant member event detail logs. This feature empowers Team Owners to onboard administrators and contributors effortlessly, ensuring they have the right access from day one. __Availability 🍾__: Available in Early Access to Enterprise Customers, with General Availability coming soon. "__Do not have Teams enabled as yet?__ Click [here](https://auth0.com/docs/get-started/auth0-teams "Auth0 Teams") to learn on how to enable Auth0 Teams"  https://auth0.com/changelog#3Re4EKKbxl36YvYeLdnKUI Thu, 11 Sep 2025 00:00:00 GMT We’re excited to announce the General Availability of Tenant Access Control List (ACL), a security feature that helps you control who can access your tenant. With Tenant ACL, you can create custom lists to allow, block, or redirect requests based on predefined signals – strengthening security and optimizing performance. ### Key Benefits - Reduce Attack Surface: Block malicious traffic before it reaches your tenant - Enhance Security: Enforce access policies based on IPs, geolocation, user agents, ASN, and more - Optimize Performance: Redirect traffic to improve user experience ### What’s New in GA - Enterprise customers: Create one Tenant ACL list - Attack Protection add-on customers: Create up to 10 Tenant ACL lists - Dashboard support: View, enable, and disable ACL lists directly from the Auth0 Dashboard ### Learn More - [Tenant ACL Documentation](https://auth0.com/docs/secure/tenant-access-control-list) - [Network ACL Management API](https://auth0.com/docs/api/management/v2/network-acls/get-network-acls) https://auth0.com/changelog#22F0R6b9osOqH0F5ctrfwR Thu, 11 Sep 2025 00:00:00 GMT We are excited to share that Bulk User Import / Export is now available for everyone directly in the Auth0 Management Dashboard! __What’s New:__ - Streamlined experience: submit import / export jobs directly in the Dashboard UI - no Extension management required - Expanded RBAC support: now available to tenant members with *Editor - Users* Role in addition to Admin - Bulk update existing users: upserting pre-existing users in a connection is now available for manual import jobs - Export as a sample: quickly validate export file structure and field naming by exporting a sample file of 10 users __Deprecation Notice__ The [Bulk Import / Export Extension](https://auth0.com/docs/manage-users/user-migration/user-import-export-extension) __will reach end of life in October 2025__. We recommend switching to the new Dashboard experience as soon as possible. For more information on the new Import/Export UI, please refer to [Bulk User Import / Export](https://auth0.com/docs/manage-users/user-migration/bulk-user-import-export) in the Auth0 docs. https://auth0.com/changelog#7zzzayEn8bRUiDnakTnU5D Tue, 09 Sep 2025 00:00:00 GMT We're excited to announce that API Access Policies for Applications is now in __Early Access for all Auth0 customers and is fully supported for production use.__ This feature enables you to control how applications access your APIs registered in Auth0. You can configure separate application API access policies for user access and client (machine-to-machine) flows, giving you __declarative, granular and easy-to-reason control over which applications can obtain an access token for a specific API__. For instance, with the require_client_grant policy, you can ensure that only explicitly authorized applications can get tokens, even during user flows. This strengthens your security posture by preventing unauthorized applications from accessing sensitive API resources on behalf of a user. To learn more, __check out the [documentation](https://auth0.com/docs/get-started/apis/api-access-policies-for-applications).__ https://auth0.com/changelog#v3c4QDo1RlDJpQUIcpCNz Mon, 01 Sep 2025 00:00:00 GMT One of the most requested features for the Auth0 Deploy CLI is here: __you can now preview your deployment changes before applying them.__ Say goodbye to deployment anxiety. With the new --dry-run flag, you can __get a detailed summary of exactly what resources will be created, updated, or deleted__ before you run an import. This brings the confidence of infrastructure-as-code practices like terraform plan to your Auth0 tenant management. __Get started by simply adding the --dry-run flag__ to your import command to see a safe preview of your changes. This will help you and your team: - __Deploy with Confidence:__ Eliminate uncertainty by verifying the exact impact of your changes. - __Prevent Unintended Changes:__ Catch potential issues and avoid accidental modifications to critical production resources. - __Improve Collaboration:__ Share the dry-run output with team members for review and approval before deployment. The Dry Run feature is now available in Early Access. Update to the latest version of the Deploy CLI to get started. [Learn More](https://github.com/auth0/auth0-deploy-cli/blob/beta/docs/using-dry-run.md)  https://auth0.com/changelog#0W4ZIHyeQvtNGT9q2TDKU Fri, 22 Aug 2025 00:00:00 GMT **What's new:**\ **Non-Unique Emails** is now in **Open Early Access** and rolling out to all environments. With this feature, multiple user accounts can share the same email address within a database connection. This enables support for real-world scenarios like: - Parent/child accounts using a shared inbox - Small businesses with a single location email - Users managing multiple roles under one email address **Key details:** - Rollout has **just begun** and will take **1--4 weeks** to reach every environment. - Available only for **new database connections**. - Email **cannot** be used as a primary identifier, customers must configure **username** or **phone number**. - Email communications will still be delivered to the shared email. - Once enabled, the non-unique email setting is **permanent**. **Status:** - This feature is **production-ready**. - **No opt-in required**, all customers will gain access once rollout reaches their environment. - **GA planned for Q4 2025.** **Getting started:**\ Customers can create a new database connection with Non-Unique Emails in the **Dashboard** or via the **Management API**. See full documentation here:\ [Non-Unique Emails Documentation](https://auth0.com/docs/authenticate/database-connections/non-unique-emails) https://auth0.com/changelog#62W58bGFJRK1LQNqINDgW Wed, 20 Aug 2025 00:00:00 GMT We are excited to announce a major update for our Private Cloud customers, extending the powerful management and security capabilities of Auth0 Teams to your private cloud environments. This release introduces the Beta versions of Tenant Member Management and SSO Enforcement, closing the feature gap with our Public Cloud offering. ## ✨ New Features __Tenant Member Management (Beta) for Private Cloud__: You can now centrally manage tenant membership and roles for your team members directly from the Auth0 Teams dashboard. This feature simplifies user administration by allowing you to: - View and manage all tenant access from a single interface. - Efficiently onboard and off-board users across multiple tenants. - Perform bulk operations to grant or revoke access. __SSO Enforcement (Beta) for Private Cloud__: Strengthen your organization's security posture by requiring all team and tenant members to authenticate using one of your configured Enterprise Identity Provider (IdP) connections. This ensures that access to Auth0 resources is governed by your corporate identity solution. __Activity Log Integration for Tenant Management__: All operations related to Tenant Member Management (e.g., adding, updating or deleting) are now recorded in the Auth0 Teams Activity Log, providing a complete audit trail for compliance and security monitoring. (**Note** Now available to all Auth0 Teams customers.) __Session Revocation for Private Cloud__: Administrators now have the ability to revoke active user sessions for Private Cloud tenants, providing an immediate way to off-board users or respond to security events. ## 📈 Improvements __Streamlined Private Cloud User Invites__: Team members can now be invited directly to a Private Cloud tenant through the Teams interface. This removes the previous requirement of first adding the user to the configuration tenant, simplifying and accelerating the onboarding workflow. __Increased Bulk Tenant__: The limit for bulk tenant assignment has been doubled, allowing you to grant or modify access to 10 tenants at once, up from the previous limit of 5. ## Beta Program Information Tenant Member Management and SSO Enforcement features for Private Cloud are being released in Beta.  https://auth0.com/changelog#6rsbSpu16aiOJxNQZ77D7V Tue, 19 Aug 2025 00:00:00 GMT We are delighted to announce that support for sender constraining tokens using Demonstrating Proof of Possession (DPoP) is now available in Early Access. Demonstrating Proof of Possession (DPoP) as defined in RFC9449, is an application level mechanism for binding tokens issued by Auth0 to the client application that requested that token. This is implemented using asymmetric key cryptography and with keys that are generated and managed by the client application - no public key infrastructure (PKI) is required. Sender constraining tokens using DPoP can be used to mitigate the risk of tokens being used by unauthorised parties if they are intercepted in transit or exfiltrated from applications. This helps to: - enhance security by mitigating against token theft and misuse by unauthorised parties - improve user experience by being able to use longer-lived access tokens without significantly increasing security risk i.e. not requiring frequent user authentication Auth0 will be rolling out SDK support for DPoP for native applications, single page applications, backend server APIs, and Auth0 management: - SDKs for iOS Swift and Android Kotlin are available now. - SDKs for Javascript, React, Python and more are coming soon. To evaluate DPoP for securing your tokens, contact your Auth0 representative. For more details, check out our [product documentation](https://auth0.com/docs/secure/sender-constraining/demonstrating-proof-of-possession-dpop). https://auth0.com/changelog#6QhAXo1Sx0218LcNXUnzi7 Mon, 18 Aug 2025 00:00:00 GMT We have expanded our security telemetry to include **JA3** and **JA4 TLS fingerprints**. **TLS fingerprinting** is a proven technique for identifying client software based on the TLS handshake. - **JA3** is a fingerprinting method that identifies TLS clients based on their connection parameters. - **JA4** refines TLS fingerprinting to make client identification more stable and resilient to small variations. These signals help customers detect and respond to **malicious traffic** faster, identify suspicious client behavior, and correlate related activity across changing IPs and sessions. --- ## **What’s New** **Tenant Logs** JA3 and JA4 fingerprints are now logged in applicable authentication and security events such as **`Success Login`**, **`Failed Login`**, and **`Anomaly Detection`**. **Actions Integration** JA3 and JA4 fingerprints are now available in **Actions** for real-time, custom security responses, but **only in the following triggers**: - `pre-user-registration` - `post-user-registration` - `post-login` **Tenant Access Control List (ACL) Support** You can also use the [Tenant Access Control List](https://auth0.com/docs/secure/tenant-access-control-list) to block specific TLS fingerprints directly by adding a rule. Alternatively, you can combine JA3 and JA4 signals with Actions to apply custom business logic, such as requiring MFA or conditionally denying access. --- ## **Why It Matters** JA3 and JA4 provide a **stable, high-entropy signal** that is hard to spoof, helping you correlate malicious activity even across changing IPs and sessions. --- ## **Availability** Available for all **Enterprise** customers. Start using these signals today. https://auth0.com/changelog#2AHovpFxwoGWDImYkICvvQ Tue, 12 Aug 2025 00:00:00 GMT Starting on September 11, 2025, we will be deprecating and removing the legacy, undocumented Management API Swagger Specification. ### What is changing? On September 11 2025, the endpoint path /api/v2/api-docs/ will be removed. After this date, any requests made to this path will result in a 404 Not Found error. ### Why are we making this change? Please note that this endpoint and the Swagger specification it provides were never officially documented or intended for public use. The current Swagger specification available at this endpoint is unmaintained, undocumented, and does not reflect the full capabilities of our Management API. As part of our commitment to providing robust and reliable tools, we are removing this legacy specification to prevent confusion and potential issues. We strongly encourage all users to migrate to our officially supported [OpenAPI 3.1 Specification for the Management API](https://auth0.com/docs/api/management/v2), which is currently in Beta. This new specification is actively maintained and provides a more accurate and comprehensive development experience. ### What do you need to do? If any of your processes are calling the /api/v2/api-docs/ endpoints, take the following steps before September 11, 2025 to ensure your applications and services continue to function without interruption: 1. Identify any systems, scripts, or CI/CD processes that access https://[your-tenant.yourdomain.com]/api/v2/api-docs/. 2. Update these systems to use our new, officially supported OpenAPI 3.1 specification. It can be accessed here: <https://auth0.com/docs/api/management/v2> 3. Ensure your applications are resilient to a 404 Not Found response from the old endpoint path. If the above does not address your needs or you have additional questions, contact us using the [Auth0 by Okta Support Center](https://support.auth0.com/) or [Auth0 by Okta Community](https://community.auth0.com). https://auth0.com/changelog#Irk6hQzcGKdEYK2v4pY4p Tue, 12 Aug 2025 00:00:00 GMT We are excited to announce that __Actions Transaction Metadata__ is now available in [__Early Access__](https://auth0.com/docs/troubleshoot/product-lifecycle/product-release-stages#early-access "Early Access"). This feature allows you to set, share, and access, custom data between Actions run in the same `post-login` execution. __Early Access__ functionality includes: - __Accessing Transaction Metadata:__ A new `event.transaction.metadata` object within `post-login` Actions that contains the custom `key/value` pairs, which can be accessed through `key`. - __Setting Transaction Metadata:__ A new `api.transaction.setMetadata` function within `post-login` Actions that serves as interface to set the custom `key/value` pairs. - __Immediate Access:__ Values are available immediately after being set in the calling Action and subsequent Actions. - __Values Types:__ Values can be `boolean`, `number`, `string`, or `string` serialization of `object` and `array`. - __Docs:__ - New docs section at: [https://auth0.com/docs/customize/actions/transaction-metadata](https://auth0.com/docs/customize/actions/transaction-metadata "Actions Transaction Metadata Docs") - Updated guidelines at: [https://auth0.com/docs/customize/actions/action-coding-guidelines#actions-basics](https://auth0.com/docs/customize/actions/action-coding-guidelines#actions-basics "Actions Coding Guidelines") https://auth0.com/changelog#6lX5ZCdAr45tFpf314tGj5 Mon, 11 Aug 2025 00:00:00 GMT We're introducing a new feature that gives your end-users the flexibility to choose how they log in. Using Universal Login Custom Prompts, you can now add custom buttons to your login pages. This empowers your users to easily switch between a traditional database (password-based) connection and a passwordless (OTP-based) connection. This update allows you to create a seamless experience where users can select their preferred authentication method directly from the login challenge screen.  For full details on this new feature, check out our [documentation](https://auth0.com/docs/customize/login-pages/universal-login/customize-signup-and-login-prompts/connection-switching). To learn more about how to use custom prompts, see the custom prompts [documentation](https://auth0.com/docs/customize/login-pages/universal-login/customize-signup-and-login-prompts). https://auth0.com/changelog#2JhbipJzZLVQdYcZC5FRwC Mon, 11 Aug 2025 00:00:00 GMT We’re excited to announce the __Early Access of Native to Web SSO is now available for all enterprise customers__. With this release, developers can: - Implement SSO from native iOS or Android apps to browser-based web apps. - Securely issue and consume Session Transfer Tokens. - Leverage device binding enforcement (IP or ASN) for additional security. - Access Session Transfer Token support in Auth0 Actions. - Use the feature across the Auth0 CLI SDK, Terraform Provider, Deploy CLI, and native mobile SDKs (iOS and Android). - Integrate with WS-FED and SAML clients, and invoke Post Login Actions during token consumption. 📘 To get started: [Read our documentation](https://auth0.com/docs/authenticate/single-sign-on/native-to-web) [Read the Quickstart](https://auth0.com/docs/authenticate/single-sign-on/native-to-web/configure-mobile-to-web-payment-flows) https://auth0.com/changelog#1zpjcO5jNSLo3hnTBMvwEj Mon, 11 Aug 2025 00:00:00 GMT We’re excited to announce that Multi-Resource Refresh Tokens (MRRT) is now in Early Access for all customers. This feature allows applications to use a single refresh token to request access tokens for multiple resource servers (APIs), each with its own audience and scopes. MRRT simplifies token lifecycle management, enhances developer experience, and improves session continuity across distributed API architectures. What’s New? - Support for defining audience-specific refresh token policies per client - Use one refresh token to request tokens for multiple APIs — no re-authentication required - Compatible with rotating and expiring refresh tokens - First-party applications only - Management API support available today - iOS and Android SDKs support - Auth0 Deploy CLI and Terraform Support [Learn more ](https://auth0.com/docs/secure/tokens/refresh-tokens/multi-resource-refresh-token) https://auth0.com/changelog#660dnzWXi5W2ivMLaAqF2R Thu, 07 Aug 2025 00:00:00 GMT __What changed:__ When the user's email is available, Auth0 will now send an email notification for brute‑force blocks in all identifier scenarios (e.g., phone, username), supplementing existing delivery rules. __Why it matters:__ Ensures users receive blocking notifications consistently even when logging in via phone or username, improving visibility and response. To learn more about Brute Force Protection read on online documentation [here](https://auth0.com/docs/secure/attack-protection/brute-force-protection) https://auth0.com/changelog#3lhCiLgLrJ7qnGsGgdO7uZ Thu, 07 Aug 2025 00:00:00 GMT We’ve improved our bot detection model to strike a better balance between **security and user experience**, with specific gains for tenants whose users frequently access resources via VPN. **Highlights of this update include:** * **Reduced false positives for VPN users:** The model now more effectively distinguishes between legitimate users and bots, even when traffic originates from shared IPs or anonymized networks. * **Improved user experience without compromising security:** These updates are designed to reduce unnecessary friction for valid users while maintaining strong defenses against automated threats. This enhanced security capability is now available to all **Enterprise customers with the Attack Protection add-on**. The rollout is currently underway and will be completed over the coming weeks in alignment with individual customer release schedules. For activation details or to learn more about protecting your applications, please refer to our [documentation](https://auth0.com/docs/secure/attack-protection/bot-detection) or contact your account team. We're committed to helping you stay secure in an evolving threat landscape. https://auth0.com/changelog#5lghONKnKUNwHFCCUdoChL Thu, 31 Jul 2025 00:00:00 GMT Introducing a new capability for log streaming: *__PII Masking__*. This feature allows customers to obfuscate (hash or mask) sensitive personal identifiable information (e.g., email address, phone number, username, etc.) within their log streams. This enhancement improves security and compliance for customers who stream their logs to data lakes or third-party tools. Key Features: - __Customizable PII Masking__: Customers can select specific PII data to be masked in their log streams. - __Enhanced Security and Compliance__: This capability helps customers meet stricter compliance requirements by providing greater control over sensitive data in their logs. - __Broad Applicability__: PII masking will be available for both new and existing log streams. This update aligns with Auth0's commitment to improving customer data security and providing more customization in log stream outputs For more information - [Log Streams](https://auth0.com/docs/customize/log-streams) https://auth0.com/changelog#5elqlIOCE1MjEkOzW7qI9k Tue, 22 Jul 2025 00:00:00 GMT Auth0 is delighted to introduce __Mexico__ as the latest AWS region for Private Cloud deployments. This new region establishes our __first Private Cloud presence in Mexico__, directly addressing the needs of one of Latin America's largest and most dynamic digital economies. The addition of the Mexico region provides lower latency for customers throughout the country and helps meet local data residency and compliance requirements. We remain committed to expanding our global footprint to serve our customers wherever they are in the world. https://auth0.com/changelog#2hXW9DqsFSv28lmkedZqh4 Tue, 22 Jul 2025 00:00:00 GMT We’ve added support for **Cascade Revocation** in **Native to Web SSO**. With this new capability, revoking the **original refresh token** used in a Native to Web flow will now **automatically revoke all dependent web sessions and their issued refresh tokens**. This helps prevent stale or orphaned sessions and ensures that once the root token is no longer valid, all downstream access is properly revoked. --- ## What’s new: - **`enable_cascade_revocation`** When enabled, revoking a native app’s refresh token also revokes all web sessions and refresh tokens created via `session_transfer_token`. - **`enable_online_refresh_tokens`** When enabled, refresh tokens issued during a Native to Web SSO flow are tied to the lifetime of their associated session (i.e., online tokens). --- ## Default behavior: Both of these settings are **enabled by default**, even when not explicitly configured. This means: - All clients using Native to Web SSO today already benefit from **cascade revocation**. - Web-issued refresh tokens will **automatically expire** when their sessions expire. You can manage or override these settings using the [Auth0 Management API](https://auth0.com/docs/api/management/v2#!/Clients/patch_clients_by_id). --- ## Why it matters: This update provides stronger guarantees around **token lifecycle** and **session integrity** across platforms: - Prevents misuse of refresh tokens after logout or revocation - Reduces risk from long-lived sessions in embedded web views - Helps developers maintain a tighter, more secure cross-platform SSO experience --- Learn more in our [Native to Web SSO documentation](https://auth0.com/docs/authenticate/single-sign-on/native-to-web/native-to-web-sso-and-sessions) https://auth0.com/changelog#5Akxk5TamCZ4dPFIQqHVYq Mon, 21 Jul 2025 00:00:00 GMT We are excited to introduce expanded passkey support for custom database connections! Now available without enabling import mode. __What’s New:__ - You can now enable passkey-based authentication for custom database connections without importing or trickle-migrating users into Auth0 (i.e., with import mode turned off). - End users can easily enroll in passkeys after their first successful login, requiring no prior passkey credentials in your external identity store. - Passkey credentials are securely stored in Auth0, while your external identity store continues to handle all other authentication logic. This enhancement unlocks frictionless, passkey-based login experiences for enterprises that manage user credentials outside of Auth0 - without requiring user migration or changes to existing identity architecture. To enable the Limited Early Access release in your Auth0 tenant, contact your Technical Account Manager to request access. https://auth0.com/changelog#5neKip9iIszAEun57u0QTu Tue, 15 Jul 2025 00:00:00 GMT We're thrilled to announce __Multiple Custom Domains (MCD) support on a single Auth0 tenant__ bringing you simpler, more flexible branding and white-labeling. This powerful capability allows you to: - __Deliver tailored, branded experiences__ for your users, including customized login URLs and emails. - __Enhance security__ through consistent use of custom domains across end-user interactions. - __Scale B2B SaaS usage__ rapidly through MCD on a single tenant. This feature is available to our __Enterprise customers__. With Early Access, you'll gain robust capabilities across our Management APIs, Manage Dashboard, and our developer tools (SDKs, Terraform provider, and CLI) for MCD management. You'll find new ways to customize Email templates based on custom domain information. The solution scales effortlessly to meet rapid growth and demanding needs. Please refer to Auth0 docs for details - [Multiple Custom Domains](https://auth0.com/docs/customize/custom-domains/multiple-custom-domains). Interested in participating in the Early Access program? Please send a request through the [Auth0 Support Center](https://support.auth0.com/). https://auth0.com/changelog#2bCRhkF36ozattQPrybsU8 Tue, 15 Jul 2025 00:00:00 GMT My Account API Explorer is now available! Navigate to: https://auth0.com/docs/api/myaccount to try it out and help navigate & build with the new My Account API (which is in Limited Early Availability). Using My Account, customers can build self-service management experiences at scale, powered directly from their applications. To learn more and request access to the My Account API feature, contact your Auth0 account manager. https://auth0.com/changelog#3oEihfjPJchpLR2631pbZw Thu, 10 Jul 2025 00:00:00 GMT We are excited to announce the next Early Access release of Advanced Customizations for Universal Login! This release adds a couple of highly requested enhancements as well as support for building custom versions of Universal Login’s Consent screens using the new ACUL SDK. Advanced Customizations for Universal Login enables you to build custom, client-rendered interfaces for Universal Login screens, allowing you to control every pixel of your Universal Login experience. This release includes: * A new Filters screen configuration object that allows you to set constraints around when the custom UI should be used based on the client and organization information. * A new screen configuration parameter that allows you to use your custom page template with ACUL * Support for building custom versions of the Consent screens * Consent * Customized Consent (used with HRI) * A shiny new Dashboard UI for configuring ACUL screens  #### DX Updates The latest versions of the ACUL SDK and Auth0’s CDT tooling include support for the new Filters and page template configurations as well as configuring the consent screens. * [Typescript SDK](https://github.com/auth0/universal-login/releases/tag/auth0-acul-js%400.1.0-beta.7) * [Auth0 CLI](https://github.com/auth0/auth0-cli/releases/tag/v1.15.0) * [Deploy CLI](https://github.com/auth0/auth0-deploy-cli/releases/tag/v8.10.0) * [Terraform Provider Auth0](https://github.com/auth0/terraform-provider-auth0/releases/tag/v1.23.1) We are very close to supporting for everything that Universal Login currently supports out of the box. Checkout our [online documentation](https://auth0.com/docs/customize/login-pages/advanced-customizations) to learn more about ACUL and stay tuned to the Auth0 Changelog for updates and announcements! https://auth0.com/changelog#5fR5o2vYStclTcfkHpJM3R Thu, 10 Jul 2025 00:00:00 GMT Today, we're excited to announce the __Early Access release of Right-to-Left (RTL) Language Support for Universal Login__—with support for the Guardian Mobile Apps (iOS & Android) coming later this month.  This update expands Auth0’s global accessibility by enabling seamless support for RTL languages, including __Arabic, Persian (Farsi), Hebrew, and Urdu__—helping you deliver more inclusive, intuitive login experiences in regions where these languages are the norm. Supporting RTL languages means you can reach new markets, localize experiences with greater precision, and improve accessibility for the nearly 1 billion people who rely on RTL scripts. Early Access includes managing RTL languages in the Admin Dashboard and API as well as previewing and editing prompt translations. Guardian support (coming later this month) will bring RTL layout rendering to identity verification and MFA workflows. This release marks a major step forward for Universal Login. As Auth0 continues to pursue our vision of a world where anyone can safely use any technology, powered by their Identity, we are proud to partner with our customers around the world in delivering secure, inclusive, and accessible authentication experiences. Contact your Auth0 account manager or Auth0 Support to enable Early Access on your tenant. https://auth0.com/changelog#5pyZYkRnpJEiJfd0aD9xXx Mon, 30 Jun 2025 00:00:00 GMT We are deprecating the ability to create more than one action per tenant for actions supporting custom phone or email providers and introducing a maximum limit of one action in the respective triggers: * `custom-phone-provider` * `custom-email-provider` This limitation applies to the Management API [create an action endpoint](https://auth0.com/docs/api/management/v2/actions/post-action) (POST - `/api/v2/actions/actions`) and can impact integrations performing direct API calls and tools like the [Auth0 Deploy CLI](https://auth0.com/docs/deploy-monitor/deploy-cli-tool), the [Auth0 Terraform Provider](https://auth0.com/docs/deploy-monitor/auth0-terraform-provider), or the [Auth0 CLI](https://auth0.github.io/auth0-cli/). We have provided additional information and timelines for enforcing this change across tenants through a dashboard and [support center notification](https://support.auth0.com/notifications/68503aec14369f07548fbb58). https://auth0.com/changelog#3x8aOrDhj5zKgYWA4e7EeD Fri, 27 Jun 2025 00:00:00 GMT We’ve upgraded our bot detection model to improve accuracy and reduce friction for legitimate users, particularly on mobile devices and evolving browser platforms. **Highlights of this update include:** * **Improved interpretation of user-agent signals**: The model now better handles previously unseen browser and OS versions, improving accuracy in distinguishing between legitimate users and malicious traffic. * **Reduced friction for mobile users**: We've updated the model to more accurately recognize native mobile app traffic, resulting in fewer unnecessary CAPTCHA challenges for real users. * **Improved user experience without compromising security**: These changes are designed to reduce false positives while maintaining robust bot detection coverage. This enhanced security feature is available now to all **Enterprise customers with the Attack Protection add-on**. The rollout is currently underway and will be completed in the coming weeks, aligned with individual customer release schedules. For activation details or to learn more about safeguarding your systems, please refer to our [documentation](https://auth0.com/docs/secure/attack-protection/bot-detection) or reach out to your account team. We are committed to supporting you in protecting your digital presence against evolving threats. https://auth0.com/changelog#5JtWi3Ihja6wOqMVMsCsGO Tue, 24 Jun 2025 00:00:00 GMT We’re excited to announce that the Okta AI-powered chatbot ([Guide](https://auth0.com/docs/get-started/auth0-guide)) Early Access offering has been enhanced with an additional data source - __Security Center Metric Data__. This additional capability is available only to Enterprise customers and can answer questions such as “do I have more sign up attacks this week compared to last week?”. ### Availability Guide is available to tenants in the US Public Cloud region. Within that group, Security Center Metric Data is available only for Enterprise customers. Guide will be rolled out to all Public Cloud regions in the near future. https://auth0.com/changelog#pMgBP8Sp7RECZo9n2IIy9 Mon, 23 Jun 2025 00:00:00 GMT We’re excited to announce that Multi-Resource Refresh Tokens (MRRT) is now in Early Access for Enterprise customers. This feature allows applications to use a single refresh token to request access tokens for multiple resource servers (APIs), each with its own audience and scopes. MRRT simplifies token lifecycle management, enhances developer experience, and improves session continuity across distributed API architectures. What’s New? - Support for defining audience-specific refresh token policies per client - Use one refresh token to request tokens for multiple APIs — no re-authentication required - Compatible with rotating and expiring refresh tokens - First-party applications only - Management API support available today - iOS and Android SDKs support - Auth0 Deploy CLI and Terraform Support [Learn more ](https://auth0.com/docs/secure/tokens/refresh-tokens/multi-resource-refresh-token) https://auth0.com/changelog#46knYejnHFSYMc59ijmGjz Mon, 23 Jun 2025 00:00:00 GMT We’re excited to announce the Early Access release of Private Key JWT Client Authentication for OIDC and Okta Enterprise Connections! Auth0 customers can now leverage a more secure and standards-based method of client authentication for their enterprise identity providers. Until now, federated connections relied on long-lived client secrets for back-channel authentication. This feature enables signing with asymmetric keys on Okta and OIDC connections, reducing the risk of credential leakage and enabling secure key management and rotation. While Auth0 already supports Private Key JWT when acting as the Identity Provider, this release extends that security posture to outbound enterprise connections, allowing Auth0 to securely authenticate to upstream IdPs using signed JWTs instead of shared secrets. For complete setup instructions and more, refer to our [documentation](https://auth0.com/docs/authenticate/enterprise-connections/private-key-jwt-client-auth). By using Private Key JWT Client Authentication on your OIDC and Okta Enterprise Connections, you agree to the applicable Free Trial terms in Okta’s Master Subscription Agreement and [Okta’s Privacy Policy](https://www.okta.com/privacy-policy/) during use of the Early Access feature. The Free Trial terms can be found within the [Master Subscription Agreement](https://www.okta.com/agreements). https://auth0.com/changelog#3Yn6M0dZUyYWRQXzEykK2W Wed, 18 Jun 2025 00:00:00 GMT #### What is changing? We are deprecating the Real-time Webtask Logs extension with a planned end-of-life after (EOL) **September 16, 2025**. As a replacement, we have published the [Actions Real-time Logs](https://auth0.com/docs/customize/actions/actions-real-time-logs) feature integrated within the Auth0 Dashboard. The extension will cease to be available for new installations, but tenants with the extension already installed will maintain access until the planned EOL. #### Why are we making this change? The transition to the dashboard will improve the security posture and maintainability of the functionality, while simplifying future enhancements. #### How are you affected? For active users of the Real-time Webtask Logs extension, its scheduled removal will affect you, as the transition from extension to a direct dashboard capability inherently implies some user experience differences. #### What action do you need to take? You can start using the [Actions Real-time Logs](https://auth0.com/docs/customize/actions/actions-real-time-logs#how-to-use) feature by navigating to **Auth0 Dashboard** > **Monitoring** > **Actions Logs**. We recommend that extension users familiarize themselves with the new user interface to avoid disruption once the extension becomes unavailable. https://auth0.com/changelog#4PbsaXwpuayYFHiuPXr1SS Wed, 18 Jun 2025 00:00:00 GMT We’ve added a new language option-Canadian French-to help our users in Canada and beyond build secure identity solutions more easily. If your language preference is set to Canadian French in your browser settings, Auth0 will detect this and automatically serve the Dashboard and Documentation in Canadian French. You can manually override this setting in the Auth0 Dashboard and Docs via the language switcher in the top-right corner. https://auth0.com/changelog#3DROEob65di707QvAZkySI Wed, 18 Jun 2025 00:00:00 GMT #### What is changing? The service will restrict access to additional property names within the `event.request.query` and `event.request.body` objects when executing actions for the `post-login` and `credentials-exchange` triggers. Tenants identified as using actions that may reference request properties planned for restriction will maintain access until **September 16, 2025**. The service will restrict the following property names in the request-related objects: - `auth_session` - `authn_response` - `client_secret` - `client_assertion` - `refresh_token` Previously, the implementation of an action could access the properties listed above in `event.request.query` and `event.request.body` to retrieve the value included in the corresponding network request. Once the planned restrictions become effective for a given tenant, all properties above will be undefined independently of the network request content. The rollout of these additional restrictions is in progress for tenants where historical data did not show any actions using these property names. Tenants identified as potentially impacted by these restrictions will maintain existing behavior until the previously mentioned date. #### Why are we making this change? By restricting access to these properties, we aim to prevent potential mishandling of sensitive data within the custom code implemented for `post-login` and `credentials-exchange` actions. For example, we reduce the risk of unintentionally logging sensitive data in log operations that may output the whole request object. #### How are you affected? If any of your tenant's current actions no longer include any reference to one of the restricted property names or that despite having references to one of the names, it is not in the context of property access to `event.request.query` and `event.request.body` objects, then these changes should not impact your tenant. If there are actual references to restricted request properties, the restriction of these properties may impact the action's logic. After the changes become effective, accessing those request properties will always return undefined. Without revising the actions' implementation, the respective authentication flows risk partial degradation or complete failure. #### What action do you need to take? If your tenants currently have actions referencing one of the restricted properties of the `event.request.query` and `event.request.body` objects in their implementation. For applicable actions, you must update their implementation to stop relying on the restricted properties of the request objects. The exact implementation changes you may need to perform will depend on your overall implementation of the actions and each restricted request property's usage scenario. For example, for scenarios related to reusing secret information previously available from the request, the support for [secret management](https://auth0.com/docs/customize/actions/write-your-first-action#add-a-secret) (`event.secrets`) as part of actions may provide a potential alternative. If the requests include restricted property names, but the information sent within them is not considered sensitive, you may consider using a different parameter name in the request, or ideally, consider using [custom parameters](https://auth0.com/docs/get-started/authentication-and-authorization-flow/authorization-code-flow/authorization-code-flow-with-par#supported-parameters) as part of [pushed authorization requests](https://auth0.com/docs/get-started/applications/configure-par) to avoid disclosing/interception of the data by end-users in browser-based flows. If the data is static per client or connection, consider storing it as part of client or connection metadata. https://auth0.com/changelog#3FKFF7m36s3iNW64RA9xSP Tue, 17 Jun 2025 00:00:00 GMT Auth0 is excited to announce the General Availability of Private Cloud Restoration resilience enhancement. This capability would come handy in the event of customer data loss or data corruption, and would assist customers in meeting regulatory requirements such as European Union’s Digital Operational Resilience Act (DORA). This capability allows customers to request full restoration of their production Private Cloud environment from an Auth0 backup in the last 14 days. It also includes the option for one restoration test per year on a non-production Private Cloud environment. Please refer to [Operational policies documentation](https://auth0.com/docs/troubleshoot/customer-support/operational-policies#private-cloud-restoration "Private Cloud Restoration") for more. https://auth0.com/changelog#3w63SF53LMZmleSmDh2Fcw Fri, 13 Jun 2025 00:00:00 GMT You can now customize the __Brute-Force Protection unblock page__ using Universal Login. This update allows for a fully branded experience when users are locked out due to repeated failed login attempts. __What’s New?__ - __Branded unblock experience via Universal Login -__ The brute-force protection unblock page is now part of Universal Login, giving you full control over its appearance and content. This ensures a seamless, branded experience throughout the recovery flow. - __Improved compatibility with email security scanners -__ Account unblock now occurs when the unblock page loads rather than on clicking the unblock link. This helps prevent issues caused by email security scanners that pre-process links. __To enable these new features__ Navigate to __Settings__ > __Advanced__ tab In the __Migrations__ section, near the bottom of the page, disable the existing functionality with the toggle shown below  The existing __Brute-Force Protection unblock page and behavior__ will remain available for now. However, it is __planned for deprecation within the next 6 months__, giving you __ample time to transition__ to the __new and improved experience__ at your convenience. For more information about our __Brute-Force Protection__ feature, see our online documentation [here](https://auth0.com/docs/secure/attack-protection/brute-force-protection) https://auth0.com/changelog#3EQxapnmbIRlkDlyIxGc6S Tue, 10 Jun 2025 00:00:00 GMT Starting October 27, 2025, the offset-based pagination available for the Management API [get all connections](https://auth0.com/docs/api/management/v2/connections/get-connections) endpoint will no longer support retrieving a paginated result beyond the first 1000 connections. Use checkpoint-based pagination to iterate beyond 1000 connections. Additional information about this upcoming change is available in a [dashboard and support center notification](https://support.auth0.com/notifications/68115c979be58b755a85b543). https://auth0.com/changelog#3d5kXmsESlH8zy1LrCRuZL Thu, 05 Jun 2025 00:00:00 GMT We’re very excited to announce the Limited Early Availability of Native Passkey Enrollment, the first capability on our new self-service API, My Account. Using My Account, customers can build self-service management experiences at scale, powered directly from their applications. Native Passkey Enrollment enables users to add a passkey to their account using APIs; applications can fully manage user onboarding of passkeys. This feature is the first of many capabilities being added to My Account. To learn more and request access to the feature, contact your Auth0 account manager. https://auth0.com/changelog#eW4GjQ2zYshqK7593Z1LW Mon, 02 Jun 2025 00:00:00 GMT We're excited to announce a significant upgrade to our bot **detection capabilities for signups**, delivering superior accuracy and staying ahead of evolving traffic patterns. This latest model further improves our ability to distinguish legitimate new users from automated malicious activity. The result is a substantial reduction in unwanted signups, enhancing your user onboarding experience and overall platform security. By enhancing our model training and deployment system, we can now accelerate model improvements, increase deployment frequency, and reduce detection latency, ensuring you always have the most advanced protection. This enhanced security feature is available now to all **Enterprise customers with the Attack Protection add-on**. The rollout is currently underway and will be completed in the coming weeks, aligned with individual customer release schedules. For activation details or to learn more about safeguarding your systems, please refer to our [documentation](https://auth0.com/docs/secure/attack-protection/bot-detection) or reach out to your account team. We are committed to supporting you in protecting your digital presence against evolving threats. https://auth0.com/changelog#2CLx9gZ1YB1nfO59QqH8po Mon, 02 Jun 2025 00:00:00 GMT We’re excited to announce the Early Access release of Native to Web SSO — a new capability that enables session sharing between native mobile apps and web apps using a secure, standards-based approach. This helps create a seamless user experience where authentication in one platform (native or web) carries over to the other, without requiring a separate login. With this release, developers can: - Implement SSO from native iOS or Android apps to browser-based web apps. - Securely issue and consume Session Transfer Tokens. - Leverage device binding enforcement (IP or ASN) for additional security. - Access Session Transfer Token support in Auth0 Actions. - Use the feature across the Auth0 CLI SDK, Terraform Provider, Deploy CLI, and native mobile SDKs (iOS and Android). - Integrate with WS-FED and SAML clients, and invoke Post Login Actions during token consumption. 📘 To get started: [Read our documentation](https://auth0.com/docs/authenticate/single-sign-on/native-to-web) [Read the Quickstart](https://auth0.com/docs/authenticate/single-sign-on/native-to-web/configure-mobile-to-web-payment-flows) https://auth0.com/changelog#72JltARfrooqHBmkuTzb8d Thu, 29 May 2025 00:00:00 GMT We’ve excited to announce that Fine-Grained M2M Token Quotas is now in __Early Access for Enterprise customers__. This feature allows __setting hourly and daily limits on M2M access tokens at the Application and Organization level__. __When a quota is reached, affected Applications receive 429 responses until the quota resets__. Customers can also enable or disable quotas in real time and monitor usage via tenant logs and HTTP headers.  This gives customers granular control over token issuance, helping __prevent excessive consumption — especially important when APIs are exposed to Third-Party Apps__ or internal teams outside their direct control. It addresses common issues like missing token caching, which can lead to uncontrolled token usage, unexpected costs and imbalanced usage across Organizations. To learn more, check out the [documentation](https://auth0.com/docs/fine-grained-m2m-token-quotas-early-access). __Reach out to you Auth0 contact to request access!__ https://auth0.com/changelog#3oV0iKjZW0TZs7SuLvE94L Thu, 29 May 2025 00:00:00 GMT Action name editing is now available within the Auth0 Dashboard, providing developers the ability to rename existing Actions while ensuring unique names are maintained. To rename an Action: 1. Navigate to the specific Action Details page in the Auth0 Dashboard. 2. At the Action Details page, click the edit button located next to the Action's name to make your changes. 3. Enter the new name. 4. Apply or cancel the changes. https://auth0.com/changelog#5rwgKZhUbJ1HgnyiwhiTn7 Tue, 27 May 2025 00:00:00 GMT We are excited to announce the next Early Access release of Advanced Customizations for Universal Login! This release adds support for building custom versions of Universal Login’s WebAuthn + Biometrics authentication and the matching MFA and Reset Password Challenge screens, as well as Logout and a few other odds and ends, all using the new ACUL SDK. Advanced Customizations for Universal Login enables you to build custom, client-rendered interfaces for Universal Login screens, allowing you to control every pixel of your Universal Login experience. This release allows you to building custom versions of the following screens: - MFA WebAuthn Change Key Nickname - MFA WebAuthn Enrollment Success - MFA WebAuthn Error - MFA WebAuthn Platform Challenge - MFA WebAuthn Platform Enrollment - MFA WebAuthn Roaming Challenge - MFA WebAuthn Roaming Enrollment - Reset Password MFA WebAuthn Platform Challenge - Reset Password MFA WebAuthn Roaming Challenge - Logout - Logout Aborted - Logout Complete - MFA Recovery Code Challenge New Code - Email Verification Result - Login Email Verification #### DX Updates The latest versions of the ACUL SDK and our CDT tooling all include support for these new screens. - [Typescript SDK](https://github.com/auth0/universal-login/releases/tag/auth0-acul-js%400.1.0-beta.5) - [Auth0 CLI](https://github.com/auth0/auth0-cli/releases/tag/v1.14.1) - [Deploy CLI](https://github.com/auth0/auth0-deploy-cli/releases/tag/v8.8.3) - [Terraform Provider Auth0](https://github.com/auth0/terraform-provider-auth0/releases/tag/v1.20.1) We are well on our way to adding support for everything that Universal Login currently supports out of the box. Checkout our [online documentation](https://auth0.com/docs/customize/login-pages/advanced-customizations) to learn more about ACUL and stay tuned to the Auth0 Changelog for updates and announcements! https://auth0.com/changelog#28sbruPFNeulf3hP4Y3A6O Wed, 21 May 2025 00:00:00 GMT Asynchronous authentication and authorisation using the Client-Initiated Backchannel Authentication (CIBA) flow is now Generally Available for our Enterprise plan customers. The CIBA flow works as an asynchronous, decoupled flow across two different devices: - Consumption device: initiates the authentication request. - Authentication device: handles end-user authentication, implemented as a custom mobile app which embeds the Guardian mobile SDK. The flow supports the use of Rich Authorization Requests [RFC9396](https://www.rfc-editor.org/rfc/rfc9396.html) to provide contextual information to authenticating and/or authorizing users. This enables the CIBA flow to support a number of powerful use cases driven by backend client applications, such as: - Customer authentication by headless devices or devices/applications with limited interaction capabilities. - Customer authentication in call-centre scenarios. - Authorising sensitive operations on behalf of yourself or a third-party e.g. a customer service Agent, an autonomous AI Agent. For more details, see the [product documentation](https://auth0.com/docs/get-started/authentication-and-authorization-flow/client-initiated-backchannel-authentication-flow). https://auth0.com/changelog#3Bre3sPV6TKhcTXt8NOXan Tue, 20 May 2025 00:00:00 GMT We're excited to announce a significant enhancement to the Tenant Member Management feature within Auth0 Teams. All tenant member management tasks can now be completed centrally within the Auth0 Teams Dashboard. Previously, we introduced tenant member management with support for inviting and assigning dashboard users to team tenants, followed by the ability to remove access from tenants directly within the Teams dashboard. With this release, a team owner gains the comprehensive ability to perform all Create, Read, Update, and Delete (CRUD) tasks on tenant members directly from the Teams Dashboard. This streamlines administrative workflows and provides unparalleled control over user access across your tenants. Note: The Tenant Member Management feature is required for this functionality. This feature is on by default for all Self-Service customers and most Public Cloud Enterprise customers. It is configurable for some existing Public Cloud Enterprise customers and is coming soon to Private Cloud customers. Please refer to the following documentation for more information. 1. [How do you edit a Tenant Member role from Auth0 Teams Dashboard?](https://auth0.com/docs/get-started/auth0-teams/tenant-member-management#edit-tenants-membership-with-tenant-member-management "Edit Tenant Member access.") 2. [I am a Public Cloud Customer; how do I verify that I have the suitable feature turned on to support tenant member management?](https://auth0.com/docs/get-started/auth0-teams/tenant-member-management#turn-on-tenant-member-management "Turning on Tenant Member Management.")  https://auth0.com/changelog#AcAZ9992lD3DZjsYd1Wjt Mon, 19 May 2025 00:00:00 GMT Event Streams is now available for all customers who desire to discover completed changes to Auth0 Users and Organizations as they happen. They can do this by: - Creating an Event Stream in the Manage Dashboard or the Management API - Configuring the Event Streams with the desired destination ([Webhook](https://auth0.com/docs/customize/events/create-an-event-stream#create-an-event-stream-webhooks- "Create a Webhook") or [Amazon EventBridge](https://auth0.com/docs/customize/events/create-an-event-stream#aws-eventbridge "Create an Event Stream via Eventbridge")) and selecting the events to receive See the [Auth0 Docs](https://auth0.com/docs/customize/events) for further instructions. https://auth0.com/changelog#4SmjmcbmVZgt1Zsn7JYF1V Tue, 13 May 2025 00:00:00 GMT Updating specific configuration fields for a tenant's SMTP Email Provider may require simultaneously specifying the password field used for SMTP client authentication. We have provided additional information and timelines for enforcing this change across tenants through a dashboard and [support center notification](https://support.auth0.com/notifications/68236562d0bbf8eb81861392). https://auth0.com/changelog#3WQbDHmA6C8FzGq0gpBDut Wed, 07 May 2025 00:00:00 GMT We're excited to announce the latest release of the Auth0 CLI! This update brings a host of improvements designed to streamline your development workflow, enhance security capabilities, and provide a more intuitive user experience. ### Key Highlights: - __Improved Universal Login Customization Flow__: Customizing your Universal Login pages is now more straightforward and efficient. We've refined the command-line interface to provide a smoother experience when managing templates and branding, allowing for quicker iterations and deployments. - __Support for Blocking User Authentication__: Enhance your security posture with the new ability to directly block (and unblock) user authentication via the CLI. This feature provides a quick and effective way to manage access for suspicious or compromised accounts. - __Enhanced Logs and User Management Experience:__ We've significantly improved the experience for viewing and managing your Auth0 logs and users. Expect more intuitive commands, better filtering options, and clearer outputs, making it easier to find the information you need and perform administrative tasks. - __Better Tenant Settings Management:__ Managing your tenant settings is now more accessible and user-friendly. The CLI offers improved commands for viewing and updating various tenant configurations, simplifying your operational overhead. - __Extended test login Command to Support Organizations:__ Testing your login flow with Organizations is now easier than ever. The auth0 test login command has been extended to seamlessly incorporate organization-specific contexts, allowing for more comprehensive testing of your multi-tenant applications. - __Bug Fixes and Quality of Life Improvements:__ This release also includes a variety of bug fixes and other minor enhancements based on your feedback. These improvements contribute to a more stable, performant, and enjoyable experience with the Auth0 CLI. Checkout the reference documentation for more information: https://auth0.github.io/auth0-cli/ https://auth0.com/changelog#136bCyJY2tu8v2AoMbEuuc Wed, 07 May 2025 00:00:00 GMT Introducing the customizable notification text for IOS Guardian SDK. With this update, apps using the Guardian SDK on iOS can now fully customize the text of their push notifications—giving you greater control over your user experience and messaging. https://auth0.com/changelog#ineWqtT4tPcGouoxTe2mh Wed, 07 May 2025 00:00:00 GMT Enable end users to choose a different language if the automatically selected language based on `ui_locales` or the browser language header is not preferred. By leveraging Auth0 Custom Prompts you can use your own HTML to customize the look and feel for how end-users perform the language selection on Universal Login. [Learn more](https://auth0.com/docs/customize/login-pages/universal-login/customize-signup-and-login-prompts/language-selection) https://auth0.com/changelog#3baR4gwGez6GE1fbhylNKH Mon, 05 May 2025 00:00:00 GMT Auth0 Developers can now easily and securely authenticate users on native applications by using the Android Credential Manager’s Sign in with Google. This enables a secure and streamlined experience for end-users to login without being prompted for a password and by re-using their existing Google session on the device. [Learn more](https://auth0.com/docs/authenticate/identity-providers/social-identity-providers/google-native)  https://auth0.com/changelog#3R2MCinpGjcQN8r2HzyWrl Mon, 28 Apr 2025 00:00:00 GMT We are excited to announce the next Early Access release of Advanced Customizations for Universal Login! This release adds support for building custom versions of Universal Login’s Device Authorization screens, the MFA voice, phone, and recovery code screens, and their matching Reset Password Challenge factors all using the new ACUL SDK. Advanced Customizations for Universal Login enables you to build custom, client-rendered interfaces for Universal Login screens, allowing you to control every pixel of your Universal Login experience. This release allows you to building custom versions of the following screens: * Device Code Activation * Device Code Activation Allowed * Device Code Activation Denied * Device Code Confirmation * MFA Phone Challenge * MFA Phone Enrollment * MFA Voice Challenge * MFA Voice Enrollment * Reset Password MFA Phone Challenge * Reset Password MFA Voice Challenge * MFA Recovery Code Challenge * MFA Recovery Code Enrollment * Reset Password MFA Recovery Code Challenge * Redeem Ticket __DX Updates__ The latest versions of the ACUL SDK and our CDT tooling all include support for these new screens. * [Typescript SDK](https://github.com/auth0/universal-login/releases/tag/auth0-acul-js%400.1.0-beta.4) * [Auth0 CLI](https://github.com/auth0/auth0-cli/releases/tag/v1.12.0) * [Deploy CLI](https://github.com/auth0/auth0-deploy-cli/releases/tag/v8.8.1) * [Terraform Provider Auth0](https://github.com/auth0/terraform-provider-auth0/releases/tag/v1.18.0) We are well on our way to adding support for everything that Universal Login currently supports out of the box. Checkout our [online documentation](https://auth0.com/docs/customize/login-pages/advanced-customizations) to learn more about ACUL and stay tuned to the Auth0 Changelog for updates and announcements! https://auth0.com/changelog#5qqdIZNejp2RrBR4CC5bf5 Mon, 28 Apr 2025 00:00:00 GMT We are thrilled to introduce the Limited Early Access release of Federated Logout for Okta and OIDC enterprise connections! Auth0 customers now have a straightforward solution to ensure that an end user is logged out of both Auth0 and OIDC IdP sessions via the Auth0 logout endpoint. This feature is built upon the [OpenID Connect RP-initiated federated logout specification](https://openid.net/specs/openid-connect-rpinitiated-1_0.html), allowing customers to effectively mitigate security risks without the need to directly access IdP logout endpoints. Federated logout has already been supported for a some IdPs, [listed here](https://auth0.com/docs/authenticate/login/logout/log-users-out-of-idps), as well as through the dedicated Google and Microsoft Entra ID connectors. This features expands federated logout capabilities to all OIDC Identity Providers via the generic OIDC and Okta connectors. To enable the Federated Logout Limited Early Access release in your Auth0 tenant, please contact your Technical Account Manager to request access. https://auth0.com/changelog#4y4YPwiEh3rr6oPp2Xg2xy Sat, 26 Apr 2025 00:00:00 GMT Users can now enroll in Guardian Push directly from their mobile device—no QR code scanning required. Enrollment is supported in both the Guardian App and custom Guardian-powered apps, making setup faster and easier on mobile. https://auth0.com/changelog#KzqGuyGjz30eYzqyO7hj9 Tue, 22 Apr 2025 00:00:00 GMT This feature gives developers real-time output from Action, Custom Database Scripts, and Custom Social Connections code when executing console.log and other similar commands. To use the feature, navigate to the *__Dashboard > Monitoring > Action Logs__*. What's new: - __Connection Status:__ New connectivity status indicator for easier visualization of connection state to server stream. - __Functionality:__ New functionalities for on demand connectivity, easier scrolling, and file downloading, which supplement the already existing ones. - __User Experience:__ Improved user experience regarding look and feel and performance. - __Docs:__ New docs section at: [https://auth0.com/docs/customize/actions/actions-real-time-logs](https://auth0.com/docs/customize/actions/actions-real-time-logs "Actions Real-time Logs Docs") https://auth0.com/changelog#5JS0K4l8w2u78iZqy80C9n Wed, 16 Apr 2025 00:00:00 GMT We’re excited to introduce Token Vault, now available in Early Access. Token Vault enables your applications to securely access third-party APIs on behalf of your users—without requiring you to manage refresh tokens or create custom integrations for a broad range of external APIs and services. With Token Vault, Auth0 handles storing and refreshing access tokens from identity providers like Google, Github, Microsoft, and more. Your applications can then seamlessly call downstream APIs—such as Google Calendar, GitHub repositories, Microsoft Word, etc. This feature is currently only available for Public Cloud tenants. To enable the Early Access release for your Auth0 tenant, please connect with your Technical Account Manager. For complete setup instructions and more, refer to the [Token Vault documentation](https://auth0.com/docs/secure/tokens/token-vault). To learn about using Token Vault with Auth for GenAI, visit [Call Other's APIs on User's Behalf | Auth0](https://auth0.com/ai/docs/call-others-apis-on-users-behalf). Let the API access magic unfold! https://auth0.com/changelog#6ADAxkJiqhYXcCP1YspL7X Tue, 15 Apr 2025 00:00:00 GMT We're super excited to announce the developer beta of Auth0 MCP Server to make tenant management conversational, intuitive, and incredibly efficient for developers. Recently, Model Context Protocol (MCP) has been growing at a rapid pace and has enabled AI agents to communicate with external tools, resources, or remote services on behalf of users. Auth0 MCP Server lets developers interface with Auth0 using natural language instead of complex APIs or dashboard navigation, dramatically simplifying tenant management workflows. For instance, developers could simply ask Claude to create a new Auth0 app, deploy a new Action, or perform any other supported management operation. __This initial release includes:__ - __Support for 20+ Auth0 Management operations:__ Create and manage applications, APIs, Actions, Logs, and Forms through simple, natural language conversations. - __Secure Authentication:__ Grant tenant access to your MCP clients via a secure auth flow with built-in support for scopes and session management. - __Multi-Step Management Workflows:__ Perform complex operations like "create an application with specific permissions and deploy a security Action" in a single conversation. - __Seamless Integrations:__ Native support for Claude Desktop, Windsurf, Cursor, and many other MCP clients. Get started with a simple command: `npx @auth0/auth0-mcp-server init` Learn more about the Auth0 MCP Server: [https://github.com/auth0/auth0-mcp-server/](https://github.com/auth0/auth0-mcp-server/ "https://github.com/auth0/auth0-mcp-server/") https://auth0.com/changelog#4IKAziNmIfxw6JFvAhTnyX Thu, 10 Apr 2025 00:00:00 GMT [Auth0 Support Center](https://support.auth0.com/) Search now provides generative answers to search queries on Support Center. As part of this change, the answers/solutions in Support Center contain results from "Knowledge Articles" which are Auth0-created solutions to specific issues to help you troubleshoot better. To try it out, navigate to: https://support.auth0.com/ and enter a query in the search box on the homepage. To filter results by the new Knowledge Articles, select "Knowledge" on the left-hand side. https://auth0.com/changelog#53BivrYIYMipzAY0FnTvKh Tue, 08 Apr 2025 00:00:00 GMT We’re excited to announce the __Developer Preview__ of __Auth for GenAI__, a new offering purpose-built for AI-native, agent-based applications. __Auth for GenAI__ helps developers securely integrate authentication, API access, and fine-grained authorization into GenAI-powered apps using industry standards all wrapped in developer-friendly SDKs. This initial release includes: - __User Authentication__ via Universal Login (social, enterprise, passkeys, and more) with account linking - __Token Vault__ enabling AI agents to call APIs (Google, GitHub, Slack, etc.) on user's behalf - __Asynchronous Authorization__ to enable autonomous AI agents to asynchronously ask users for out-of-band authorization on sensitive actions via push notifications - __Authorization for RAG__ with resource-level access control powered by Auth0 FGA - SDK support for Next.js, Node.js, FastAPI, and popular AI frameworks like LangChain, Vercel AI SDK, and LlamaIndex - Sample apps, quickstarts, and ready-to-use templates Explore the Developer Preview at: [https://auth0.com/ai](https://auth0.com/ai) Join the discussion at our community: [https://community.auth0.com/c/auth-gen-ai](https://community.auth0.com/c/auth-gen-ai) https://auth0.com/changelog#3gUQiLnGukpNaOw6p3ERH9 Mon, 07 Apr 2025 00:00:00 GMT We’re excited to introduce __Tenant Access Control List (ACL)__, a powerful new security feature that allows you to control who can access your tenant. With the __Tenant ACL__, you can define custom rules to __allow, block, or redirect requests__ based on predefined signals, helping you secure and optimize your environment with precision. __Benefits__ ✔ __Reduce Attack Surface__ – Block malicious traffic before it reaches your tenant. ✔ __Enhance Security__ – Enforce custom access policies based on IPs, geolocation, user agents, and more. ✔ __Optimize Performance__ – Redirect traffic efficiently to improve user experience. __Early Access Availability:__ __Current Early Access:__ Available to all __Enterprise customers with the__ __Attack Protection add-on__ with the ability to create up to __10 access control list__. __Upcoming Limited Early Access:__ Rolling out to __all Enterprise customers__ in __Q2 2025__ with the ability to create up to one __access control list__. Please view our online documentation [here](https://auth0.com/docs/secure/tenant-access-control-list) for additional details and to learn how to enable **Tenant Access Control Lists**. https://auth0.com/changelog#275CgZQkgr43K85q2YKrjV Wed, 02 Apr 2025 00:00:00 GMT We’re excited to announce that the __Mobile Driver’s License Verification Service__ is now in __Limited Early Access__. Auth0’s Mobile Driver’s License (mDL) Verification Service enables customers to enrich user profiles with trusted information during signup and login flows as well as perform ad-hoc verification and validation checks. Additionally, utilizing a digital credential can streamline processes for businesses and financial institutions while allowing end-users more control over their information. With this feature, customers can perform ad-hoc mDL verification requests or integrate them into their existing authorization flows with our Forms widget. This Early Access release only supports the [ISO/IEC TS 18013-7:2024](https://www.iso.org/standard/82772.html) standard and the REST API, also known as Web API, protocol. To enable the Limited Early Access release in your Auth0 tenant, please review the available [documentation](https://auth0.com/docs/secure/mdl-verification) and if interested, please fill out [this](https://docs.google.com/forms/d/e/1FAIpQLScEZSizEo6prfnxg_8YvU3Pv0s6rwryEpjEZt_9X3vplQhXVQ/viewform) form to request access. We are limiting the number of customers for whom this will be enabled and will reach out to you with more details. If you have any feedback, give us a shout in our [community channel](https://community.auth0.com/)! https://auth0.com/changelog#44rEHWw8XPzsjrCwNSpPtW Tue, 01 Apr 2025 00:00:00 GMT We’ve added Domain Verification to the Self-Service SSO workflow — making it easier and more secure for your customers to manage their SSO setup. __Simpified & Secure__ Your customers can now verify domains directly within the Self-Service SSO wizard, reducing manual steps and ensuring only trusted domains are used for Home Realm Discovery (HRD). This strengthens security and eliminates the need for external verification workflows. __Flexible Configuration Options__ As a tenant admin, you have control over how domain verification is enforced when creating Self-Service SSO tickets: - Off – Domain verification is hidden from the wizard - Optional – Customers can choose to skip verification and still enable connections - Required – A domain must be verified before enabling the connection This gives you the flexibility to balance user experience and security based on your customers' needs.  Learn more about Self-Service SSO in the [product documentation](https://auth0.com/docs/authenticate/enterprise-connections/self-service-SSO). By using Self-Service SSO Domain Verification, you agree to the applicable Free Trial terms in Okta’s Master Subscription Agreement and [Okta’s Privacy Policy](https://www.okta.com/privacy-policy/) during use of the Early Access feature. The Free Trial terms can be found within the Master Subscription Agreement at [https://www.okta.com/agreements](https://www.okta.com/agreements). https://auth0.com/changelog#JSIvLDuIxl4Vvubx8g24r Tue, 01 Apr 2025 00:00:00 GMT Auth0 is excited to announce new enhancements to the Self-Service SSO experience: __Self-Service SSO Ticket Creation in the Dashboard__ Tenant admins can now generate SSO tickets directly from the Manage Dashboard, removing the need for API access. This update simplifies the process for all teams and makes it easier to experiment, configure, and roll out federated SSO integrations. __Enhanced SAML Configuration Options__ Tenant admins can now configure whether IdP-Initiated SSO is allowed at the time of ticket creation. Additionally, in the wizard, IT admins have the option to choose whether authentication requests should be signed, offering more flexibility and control to meet varying security and compliance needs.  These updates enhance accessibility, security, and ease of use. Learn more about Self-Service SSO in the [product documentation](https://auth0.com/docs/authenticate/enterprise-connections/self-service-SSO). https://auth0.com/changelog#3t61fp6lqBGWEWddiqCtwf Tue, 01 Apr 2025 00:00:00 GMT We are excited to announce that we are expanding our US public cloud offering with a brand new environment! prod-us-5 is a testament to our growth and provides a big capacity boost to onboard new Auth0 Public Cloud customers. This new public cloud environment supports all the standard Auth0 Authentication and Management capabilities in a highly secure, resilient, and scalable deployment infrastructure. All US Public Cloud customers who are using [IP allow list](https://auth0.com/docs/secure/security-guidance/data-security/allowlist "IP Allowlist") to permit outbound traffic from Auth0 are advised to update their firewall rules with the [latest info](https://auth0.com/docs/secure/security-guidance/data-security/allowlist#united-states "Latest US IP Allowlist") at their earliest convenience. https://auth0.com/changelog#5APMrGt8hbiRvuDh6wJdKe Mon, 31 Mar 2025 00:00:00 GMT We’ve updated our bot detection model to improve accuracy and keep up with evolving traffic patterns. - __Improved detection__: The new model is more effective at identifying and stopping bot activity. - __More computationally efficient__: Updated architecture enables more efficient decision-making. - __Trained on fresh data__: Reflects the latest trends in traffic to better spot malicious behavior. This enhanced security capability is now available to all Enterprise customers with the __Attack Protection__ add-on. The rollout is currently underway and will be completed in the coming weeks, aligned with individual customer release schedules. For details on activation or to learn more, please refer to our [documentation](https://auth0.com/docs/secure/attack-protection/bot-detection) or reach out to your account team. We are here to support you in protecting your systems against evolving threats. https://auth0.com/changelog#1wnn4u7KN4VNwN5fRYuHUc Mon, 31 Mar 2025 00:00:00 GMT We are excited to announce the next Early Access release of Advanced Customizations for Universal Login! This release adds support for building custom versions of Universal Login’s Organizations screens, the MFA TOTP screens, and the matching Reset Password Challenge factors all using the new ACUL SDK. Advanced Customizations for Universal Login enables you to build custom, client-rendered interfaces for Universal Login screens, allowing you to control every pixel of your Universal Login experience. This release allows you to building custom versions of the following screens: * Accept Invitation * Organization Selection * Organization Picker * MFA OTP Enrollment QR * MFA OTP Enrollment Code * MFA OTP Challenge * Reset Password MFA OTP Challenge * Reset Password MFA Email Challenge * Reset Password MFA Push Challenge Push * Reset Password MFA SMS Challenge **DX Updates** The latest versions of the ACUL SDK and our CDT tooling all include support for these new screens. * [Typescript SDK](https://github.com/auth0/universal-login/releases/tag/auth0-acul-js%400.1.0-beta.3) (includes a breaking change, see the [changelog](https://github.com/auth0/universal-login/blob/auth0-acul-js%400.1.0-beta.3/packages/auth0-acul-js/CHANGELOG.md#auth0-acul-js010-beta3-2024-03-28) for migration steps) * [Auth0 CLI](https://github.com/auth0/auth0-cli/releases/tag/v1.10.1) * [Deploy CLI](https://github.com/auth0/auth0-deploy-cli/releases/tag/v8.7.1) * [Terraform Provider Auth0](https://github.com/auth0/terraform-provider-auth0/releases/tag/v1.15.0) We are well on our way to adding support for everything that Universal Login currently supports out of the box. Checkout our [online documentation](https://auth0.com/docs/customize/login-pages/advanced-customizations) to learn more about ACUL and stay tuned to the Auth0 Changelog for updates and announcements! https://auth0.com/changelog#1at7TjSZUGT6hIJL8zTSn9 Tue, 25 Mar 2025 00:00:00 GMT Auth0 Customers have historically struggled to easily discover changes to the User Lifecycle (user create, updated or deleted), by relying on suboptimal solutions such as Actions or Logs. Event Streams changes this: customers can now subscribe to [events](https://auth0.com/docs/deploy-monitor/events/event-types#user-event-types) that trigger each time there is a change in the User Lifecycle, regardless of the connection the customer was created, and route those events to either a [Webhook](https://auth0.com/docs/deploy-monitor/events/create-an-event-stream#webhooks) or [AWS EventBridge](https://auth0.com/docs/deploy-monitor/events/create-an-event-stream#aws-eventbridge). Auth0 is now accepting Beta Testers to this new feature. See the [Auth0 Docs](https://auth0.com/docs/deploy-monitor/events) for further instructions. https://auth0.com/changelog#1KZ2jueX8JSVlyGXCaWnB0 Tue, 25 Mar 2025 00:00:00 GMT The Auth0 Dashboard allows customers to reset the code for a Custom Provider when they click the Reset button. Previously, this experience was different across Custom Email and Phone Provider in both the behavior of the button and the text displayed throughout the reset process. This behavior has been fixed, and now the reset functionality is consistent across both features. https://auth0.com/changelog#3gR889G5ZwMqgn3r5UrmRA Tue, 25 Mar 2025 00:00:00 GMT This feature gives developers better observability regarding Actions execution errors both at the Auth0 Dashboard and external Log Stream Platforms. Here's a summary of the key points: - __Execution Error Handling:__ The feature captures the unhandled Actions execution errors and facilitates them as Tenant logs. - __Event Log Type:__ There is a [new Event Log Type](https://auth0.com/docs/deploy-monitor/logs/log-event-type-codes "actions_execution_failed") regarding Actions execution errors that can be visualized at the Dashboard > Monitoring > Logs. - __Log Streams:__ The new event log type is also sent through Log Streams. - __Log Stream Filter:__ There is a [new Log Stream Filter](https://auth0.com/docs/customize/log-streams/event-filters#actions-event-filters "Action Execution - Failure") focused on Actions execution errors. https://auth0.com/changelog#3LCFto2kZe1vwS1j4NgUkq Wed, 19 Mar 2025 00:00:00 GMT We’ve added a new language option-Japanese-to help our users in Japan and beyond build secure identity solutions more easily. If your language preference is set to Japanese in your browser settings, Auth0 will detect this and automatically serve the Dashboard and Documentation in Japanese. You can manually override this setting in the Auth0 Dashboard and Docs via the language switcher in the top-right corner. https://auth0.com/changelog#7jOPIpRJkZD6WIbD2rl9o1 Sat, 15 Mar 2025 00:00:00 GMT Integrating Auth0 Guardian into your iOS projects is now easier than ever with Swift Package Manager (SPM) support! With this update, you can seamlessly add Guardian authentication directly in Xcode—no manual setup required. https://auth0.com/changelog#4zrZTaM42g4JonyoiSnllJ Fri, 14 Mar 2025 00:00:00 GMT **Credential Guard** is now supported for Private Cloud on Azure customers! This enhancement brings: - 🔍 **Proactive Threat Hunting** – A dedicated security team infiltrates criminal communities and gains access to breach data that isn’t otherwise available–enabling detection of compromised passwords within 12–36 hours instead of the traditional months - ⏱ **Faster Detection** – Detects breaches 250% faster than standard automated solutions - 🌍 **Expanded Coverage** – Automates breached password detection coverage in over **200+ countries and territories**, ensuring that users worldwide receive consistent, localized protection. For additional details and to learn how to enable **Credential Guard**, please view our online documentation [here](https://auth0.com/docs/secure/attack-protection/breached-password-detection#detect-breaches-faster-with-credential-guard). https://auth0.com/changelog#1IOpDQG3mVWHqm0caRWaSo Thu, 13 Mar 2025 00:00:00 GMT We’re excited to announce that __Custom Phone Providers and the Unified Phone Experience__ are now Generally Available. __Custom Phone Providers__: With this feature, customers can configure custom phone providers and customize phone messages not only when leveraging phone number as an identifier, but also when using MFA and Passwordless! Auth0’s CI/CD tooling (Auth0 CLI, Deploy CLI, and Terraform Provider) now fully supports Custom Phone Providers. To access these new capabilities, upgrade to the latest versions of Auth0 CLI, Deploy CLI, and Terraform Provider. We encourage you to get started with Custom Phone Providers today by checking out our [documentation](https://auth0.com/docs/customize/phone-messages/configure-phone-messaging-providers/configure-a-custom-phone-provider) and if you have any feedback, give us a shout in our [community channel](https://community.auth0.com/)! __Unified Phone Experience__: The Unified Phone Experience offers a consolidated experience where you can configure a tenant-level phone provider that will be used for Phone as ID, MFA, and Passwordless flows. Additionally, the management of phone templates will be centralized on a single page. This unification aims to reduce redundancy across Auth0 features and present a more streamlined user experience. The unified experience will be the default for any new tenants created after this release, and existing tenants will have the ability to revert to the legacy experience if desired. We encourage you to try out the new Unified Phone Experience and provide feedback and questions to us through our [community channel](https://community.auth0.com/). Information on how to migrate to the new experience can be found [here](https://auth0.com/docs/customize/phone-messages/unified-phone). https://auth0.com/changelog#6WO1k5K2NkOOMAJfBzSicd Tue, 11 Mar 2025 00:00:00 GMT We're improving both account security and user experience by extending **Breached Password Detection** to the **password reset flow**. #### 🔹 What’s New? Previously, users could unknowingly reset their passwords to compromised credentials, creating security risks and potentially requiring another reset. With this update, you can now prevent users from setting their password to a known breached credential during the reset flow -just like during sign-up and login. Additionally, with this rollout we have also **increased coverage** of Breached Password Detection on Sign-Up to cover the **Management API**! #### 🚀 Benefits **Stronger security** – Protects against compromised credentials at every stage. **Better user experience** – Avoids unnecessary password resets by blocking breached passwords upfront. This update helps prevent your users from using known compromised credentials throughout their password lifecycle, giving your users stronger security on their accounts. For additional details and to learn how to enable **Breach Password Detection on Password Reset Flows**, please view our online documentation [here](https://auth0.com/docs/secure/attack-protection/breached-password-detection). https://auth0.com/changelog#74c2uLl6e8lqQIxStziaLo Wed, 26 Feb 2025 00:00:00 GMT This feature allows developers to ensure their custom database scripts are compatible with specific Node.js runtime versions. Here's a summary of the key points: - __Bulk Testing Compatibility:__ The feature can test the compatibility of custom database scripts with different supported Node.js runtime versions. - __Database Connections Limit:__ It is available if your tenant has 1 to 10 database connections with custom database scripts enabled. - __Navigation Path:__ The feature can be accessed by going to Tenant Settings → Advanced → Extensibility → Verify Custom DB Scripts. __Actions Based on Results:__ After testing, the results can be verified and corrective actions can be taken if any compatibility issues are identified. Checkout our online documentation to learn more about [Extensibility Tenant Settings](https://auth0.com/docs/get-started/tenant-settings#extensibility "Extensibility Tenant Settings")! https://auth0.com/changelog#5eI6NDpHUh2NMfJ1Qq9jJ3 Mon, 24 Feb 2025 00:00:00 GMT We are excited to announce the next Early Access release of Advanced Customizations for Universal Login! This release adds support for building custom versions of Universal Login’s MFA enrollment screens and 3 of our most common MFA factors using the new ACUL SDK. Advanced Customizations for Universal Login enables you to build custom, client-rendered interfaces for Universal Login screens, allowing you to control every pixel of your Universal Login experience. This release allows you to building custom versions of the following screens: * MFA Detect Browser Capabilities * MFA Begin Enroll Options * MFA Enroll Result * MFA Login-options * MFA Email List * MFA Email Challenge * MFA Country Codes * MFA SMS Enrollment * MFA SMS List * MFA SMS Challenge * MFA Push Welcome * MFA Push Enrollment QR * MFA Push List * MFA Push Challenge Push We are well on our way to adding support for everything that Universal Login currently supports out of the box. Checkout our [online documentation](https://auth0.com/docs/customize/login-pages/advanced-customizations) to learn more about ACUL and stay tuned to the Auth0 Changelog for updates and announcements! https://auth0.com/changelog#4AFBdU3hLHE0bL1pIUCFVQ Wed, 19 Feb 2025 00:00:00 GMT We have deprecated the Node.js 12 and 16 extensibility runtimes in all environments and recommend using the Node.js 22 runtime for your extensibility integrations (such as Actions, Rules, Hooks, Custom Database Connections, and Custom Social Connections). We have provided additional information and timelines for removing the deprecated runtimes through a dashboard and support center notification. https://auth0.com/changelog#6y3ocHXDsxHZLQ5LN8xSgw Wed, 12 Feb 2025 00:00:00 GMT We have deprecated the invalidation of user sessions when performing database connection user update (PATCH - `/api/v2/users/{id}`) requests where: * The `email` or `email_verified` attributes are set to an unchanged value; * The `email_verified` attribute is set to a `true` value. These changes allow for consistent behavior between setting an email as verified through the Management API and the built-in email verification flows provided by the service. In addition, it improves the overall end-user experience by avoiding session invalidation in situations that do not require it, such as setting either the `email` or `email_verified` attributes to unchanged values. The dashboard will be updated with a migration toggle to opt out of the deprecated behavior ahead of its future end-of-life; we have provided additional information and timelines for enforcing this change through a [dashboard and support center notification](https://manage.auth0.com/#/notifications/67ab8c121f5c740896fcfd19). https://auth0.com/changelog#YNknZt7wie7qPAZBfehXu Tue, 11 Feb 2025 00:00:00 GMT End User TOTP enrollment for Native devices is now more intelligent! For end users enrolling into a TOTP factor on a mobile device, Auth0 skips the QR code and prompts for manual code entry with the QR code as a fall back option. Check out [Auth0 Temporary OTP](https://auth0.com/docs/secure/multi-factor-authentication/auth0-guardian#temporary-one-time-passwords) for more detail! https://auth0.com/changelog#2znS0wuMXkUc6FpVWbzZN8 Tue, 11 Feb 2025 00:00:00 GMT We are excited to introduce the Usage Metrics Dashboard in Okta Fine-Grained Authorization (FGA), providing customers with deeper visibility into their authorization usage. This new dashboard, available under the “Manage Account” section of the Okta FGA dashboard, helps teams monitor, analyze and manage their FGA consumption efficiently. What’s New? ## - __Monitor Key Metrics__: Track Monthly Active Users (MAUs), Total Tuple Count, and Monthly Average Requests Per Second (RPS). Time Frame Selection: View trends over the Last Month or Last 3 Months, with the current month’s data always included for the latest insights. - __Granular Data Views__: Click on “View Table” option to see a detailed breakdown of usage by store and time period. - __Hourly Updates__: Data is refreshed hourly to help you make informed decisions. Learn More: ## Check out the [documentation](https://docs.fga.dev/intro/dashboard#usage-metrics-dashboard) for details on how to use the dashboard effectively. https://auth0.com/changelog#xAFUkGxOSC5aO3IoVBIyL Mon, 10 Feb 2025 00:00:00 GMT __Email OTP Verification__ is now __Generally Available (GA)__, minor improvements will continue to roll out over the next __1-4 weeks__ to enhance performance and usability. With __Email OTP Verification__, users are required to enter a One-Time Password (OTP) sent to their email during the signup or password reset process. This ensures email verification happens __before__ account creation or password reset is completed, offering enhanced security and reducing the chances of mistyped or fake email accounts. __Key Highlights:__ - __Synchronous Email Verification:__ Prevents account creation or password reset until users verify their email via OTP. - __Improved Security:__ Helps prevent fake accounts, ensures accurate email addresses, and discourages phishing through email links. - __Applicability:__ Available for both email verification during signup and password reset challenges. __Prerequisites:__ - Must be using __Universal Login__. - Connection must have __Flexible Identifiers__ enabled. - Email OTP is only compatible when using the __Identifier First Authentication Profile__. To enable this feature, navigate to the __Attributes__ tab on any connection and change the __Verification Method__ under the __Email__ attribute settings from __Verification Link__ to __OTP__. https://auth0.com/changelog#5wjT8AZCChc2zGWBC3UlMa Thu, 06 Feb 2025 00:00:00 GMT We are thrilled to announce the Early Access release of Custom Token Exchange. __Enterprise customers__ can now request access to use this feature. Token Exchange is an OAuth grant-type that enables the exchange of security tokens for other security tokens, typically access_tokens. Custom Token Exchange provides a flexible __solution using Actions that allows customers to provide their custom logic to control the exchange__ - i.e. effectively providing the means to implement custom authentication semantics using Actions.  This __added flexibility__ can be used by customers to tackle __advanced integration use cases__, such as: - Seamlessly migrating users to Auth0 - Integrating external IDPs - Exchanging Auth0 tokens for a different audience - ... and other use cases where regular federation and/or OIDC flows are not an option To learn more, read our [documentation](https://auth0.com/docs/custom-token-exchange-early-access). Reach out to you Auth0 contact to request access! https://auth0.com/changelog#3vAOS1iFG0OAu7uRPmAvYd Thu, 06 Feb 2025 00:00:00 GMT At Auth0, we understand that no two customer identity stories are the same. Every company has a brand identity, a secret sauce, and a unique aesthetic vision. Today, we are very excited to introduce the next evolution in customization for Universal Login, **Advanced Customizations for Universal Login** (ACUL). ACUL enables your team to build custom, client-rendered versions of each Universal Login screen, allowing you to control every pixel of the Universal Login experience.  This Early Access release of ACUL is available to all paid customers. Public cloud customers can start using it today! Those on private cloud will be enabled as part of their regular release cycle. This initial EA release provides a new configuration API, CDT and SDK support, and allows you to build custom versions of the following screens: * Login * Login Id * Login Password * Login Passwordless Email Code * Login Passwordless SMS OTP * Signup * Signup Id * Signup Password * Passkey Enrollment * Passkey Enrollment Local * Phone Identifier Enrollment *(used for identity verification during Signup)* * Phone Identifier Challenge *(used for identity verification during Signup)* * Email Identifier Challenge *(used for identity verification during Signup)* * Interstitial Captcha * Reset Password * Reset Password Email * Reset Password Request * Reset Password Error * Reset Password Success The following flows and capabilities are supported in ACUL EA: * Single step Signup & Login with password and social & enterprise connections * [ID First Signup/Login](https://auth0.com/docs/authenticate/login/auth0-universal-login/identifier-first) using password, passwordless email/SMS OTP, passkeys, and social & enterprise connections * Basic Reset Password flow with and without Bot Detection * [Flexible Identifiers](https://auth0.com/docs/authenticate/database-connections/activate-and-configure-attributes-for-flexible-identifiers) with and without identity verification enabled during Signup * [Bot detection](https://auth0.com/docs/secure/attack-protection/bot-detection) with any of our 7 supported Captcha providers during the Signup, Login, and Reset Password flows * Capturing additional data during Signup and Login using [custom prompts](https://auth0.com/docs/customize/login-pages/universal-login/customize-signup-and-login-prompts) This is just the beginning! In the coming months, we will be adding support for every screen and capability that Universal Login currently supports out of the box, a shiny new Dashboard UI for configuring ACUL, and lots more DX goodness! Checkout our [online documentation](https://auth0.com/docs/customize/login-pages/advanced-customizations) to learn more about ACUL and stay tuned to the [Auth0 Changelog](https://auth0.com/changelog) for updates and announcements! https://auth0.com/changelog#kR21qiOZkM2jAlFDaId7D Mon, 03 Feb 2025 00:00:00 GMT Auth0 is delighted to introduce __Hyderabad__ as the latest AWS region for Private Cloud deployments. Hyderabad follows Mumbai as the __second AWS region for Auth0 Private Cloud available in India!__ This new addition unlocks reduced latency and increased flexibility for Auth0 deployments on AWS. We stand committed to meeting our customers’ data residency and resiliency needs in an ever expanding global market. https://auth0.com/changelog#5bDyvep4pSfmGPIqLbpiBF Fri, 31 Jan 2025 00:00:00 GMT We’re thrilled to announce that Auth0 now supports Universal Logout integration with Okta Workforce Identity Cloud! Okta Universal Logout is based on the [Global Token Revocation](https://www.ietf.org/archive/id/draft-parecki-oauth-global-token-revocation-04.html) specification and allows security incident management tools [Okta Identity Threat Protection](https://www.okta.com/products/identity-threat-protection/) to send back-channel requests to revoke users' sessions and refresh tokens when they identify a change in risk. With this feature, Auth0 customers federating with Okta Workforce Identity using the [Okta](https://auth0.com/docs/authenticate/identity-providers/enterprise-identity-providers/okta), [SAML](https://auth0.com/docs/authenticate/identity-providers/enterprise-identity-providers/saml), or [OpenID Connect](https://auth0.com/docs/authenticate/identity-providers/enterprise-identity-providers/oidc) connection types no longer need to build a global token revocation endpoint. Instead, with minimal configuration required, they can provide the Okta admin with Auth0’s connection-specific endpoint URL. This integration provides security benefits for apps that depend on refresh tokens and Auth0 sessions, as both are revoked when Auth0 receives a Universal Logout request for a user. This integration can also trigger Auth0's OIDC back-channel logout feature to terminate custom application sessions. To learn more about Universal Logout support in Auth0, click [here](https://auth0.com/docs/authenticate/login/logout/universal-logout). This feature will be rolled out to all public cloud environments over the next few days and to private cloud environments as per their release pipeline. https://auth0.com/changelog#5dsLx6mbN14AVGiiMq13CJ Fri, 31 Jan 2025 00:00:00 GMT We are excited to introduce the Per-Module Authorization feature. This enables large organizations to securely share authorization models by specifying which application credentials can update data for specific modules. Teams that are responsible for their own separate services can now limit access to modification of authorization data on a per-module basis. Last year, we released [Modular Models](https://docs.fga.dev/modeling/modular-models), where a single model could be separated into modules across multiple files, allowing teams to use features in their source code management platforms (such as GitHub’s [CODEOWNERS](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners) feature) to enforce access on who can modify parts of a model. Per-Module Authorization builds on top of that work to further define permissions for applications. Workflows can be implemented where different teams maintain their portion of an FGA model independently and also ensure that the services and applications owned by the respective teams can only modify their own authorization data. For more details, refer to Okta FGA’s [documentation](https://docs.fga.dev/intro/dashboard#grant-authorized-clients-access-to-write-specific-modules) on how to grant client credentials access to only specific modules. https://auth0.com/changelog#77VW39HIqFeKgp8R3I97Q2 Fri, 31 Jan 2025 00:00:00 GMT Customers now have Enhanced Rate Limit Reporting via Logs, including: - Increased Rate Limit Log (api_limit) Publishing Frequency: receive 1X per minute notifications indicating when you have exhausted a rate limit. - New Rate Limit Warning Log (api_limit_warning): receive 1X per minutes notifiactions indicating when you have exhuasted 80% of your rate limit request token allocation. - Enhanced Logs Schema: additional attributes of HTTP path and method and bucket size will be included to allow for easier mapping between Logs and API Rate Limit Configuration Docs. https://auth0.com/docs/troubleshoot/customer-support/operational-policies/rate-limit-policy/rate-limit-configurations https://auth0.com/changelog#4ySJSSzRRpM4X46Wmw4xgl Thu, 30 Jan 2025 00:00:00 GMT We are excited to announce the next major version of Next.js SDK. With the introduction of [nextjs-auth0 v4](https://github.com/auth0/nextjs-auth0), we now support Next.js 15 and React 19, allowing developers to leverage the latest features and improvements in both frameworks. This compatibility not only enhances the development experience but also ensures that applications can take full advantage of performance optimizations. This updated SDK features a simplified architecture and is edge-compatible by default, enhancing performance and flexibility for developers. What’s new: - __Middleware-Based Authentication:__ Improved compatibility and reduced maintenance by moving to middleware-based handlers. - __Enhanced Security:__ Switched to encrypted cookies and removed outdated cookie logic. - __Resolved State Mismatch Issues:__ Fixed long-standing issues reported by the community. - __Improved Session Management:__ Implemented rolling sessions and eliminated cookie chunking. - __Improved Hooks and Helpers:__ Introduced useUser(), getAccessToken(), and getSession() for easier data fetching and session handling. - __Stateful Sessions with Custom Databases:__ Support for "Bring Your Own Database" (BYODB). - Compatibility with __Next.js 15__, __Turbopack__, and __React 19__ - __Simplified architecture__, API, and configuration options Learn More: - [Quickstart](https://auth0.com/docs/quickstart/webapp/nextjs/interactive) - [Migration Guide](https://github.com/auth0/nextjs-auth0/blob/v4/V4_MIGRATION_GUIDE.md) https://auth0.com/changelog#67eu2QraEWdl35ncWI4juN Tue, 28 Jan 2025 00:00:00 GMT __What’s Changing:__ We are improving the Dashboard configuration experience for email providers. The default From address field will be required when creating or updating email provider configuration through the Dashboard. Customers do not need to take immediate action, and the Management API will maintain the field as optional for backward compatibility. __Key Dashboard Updates:__ 1. __Configuring New Email Providers__: Customers must supply a default From address when configuring a new email provider. 2. __Changing Existing Email Providers__: Customers must supply a default From address when updating an existing email provider. Existing configured email providers that do not have a From address configured will continue to work as before. __Why This Matters__: An email provider configured without a default From address may lead to a poor user experience because email template customizations are not supported when a customer-defined From address is unavailable. By requiring a default From address at the email provider level, email template customizations will be respected even if the email template does not have a template-specific From address. __Rollout Timing__: We plan to roll out this change in the coming days. After the rollout, customers can expect to see the enforcement of this required field on the Dashboard. https://auth0.com/changelog#12QGektcPla7VCIHBuPZbq Thu, 23 Jan 2025 00:00:00 GMT We’re excited to announce that __Custom Email Providers__ is now __Generally Available__. With this feature, customers can configure custom email providers and customize emails so they can have full control of the email delivery process. This feature utilizes the Actions framework and leverages the Actions Code Editor so you can more completely manage, monitor, and troubleshoot your email communications. Auth0’s CI/CD tooling (Auth0 CLI, Deploy CLI, and Terraform Provider) now fully supports Custom Email Providers. To access these new capabilities, upgrade to the latest versions of Auth0 CLI, Deploy CLI, and Terraform Provider. We encourage you to get started with Custom Email Providers today by checking out our [documentation](https://auth0.com/docs/customize/email/configure-a-custom-email-provider) and if you have any feedback, give us a shout in our [community channel](https://community.auth0.com/)! https://auth0.com/changelog#uSkXYIKdBmyqPrVYGiy7O Tue, 21 Jan 2025 00:00:00 GMT This Beta feature logs in real-time output form your custom Actions code. This includes all console.log output and exceptions. For example, a custom Action code such as below: console.log("Hello world!"); Will show up within Dashboard > Monitoring > Actions Logs as  You can also use examples such as below to catch and log errors for making it easy to debug and troubleshoot your Actions. try { nonExistentFunction(); } catch (error) { console.error(error); // Expected output: ReferenceError: nonExistentFunction is not defined // (Note: the exact output may be browser-dependent) } These logs are not stored and are only available within the dashboard when you are logged in and are on the Dashboard > Monitoring > Actions Logs tab within the browser. These logs are designed to help you troubleshoot as you write or modify your custom Actions code. https://auth0.com/changelog#2IqqBG3BK3I106CUNaH67Z Thu, 16 Jan 2025 00:00:00 GMT Node.js 22 is now generally available (GA) as a runtime for your extensibility integrations (such as Actions, Rules, Hooks, Custom Database Connections etc). New Actions created will now default to Node 22 as the runtime. As part of this release, we have also split runtime selection for Legacy Extensibility (for Rules & Hooks) separate from the general Extensibility (for Custom Database Scripts & Custom Social Connections). These setting are available within [Tenant > Settings > Advanced](https://manage.auth0.com/#/tenant/advanced) and allows you to individually manage desired runtime configuration as required.  Please [refer to our docs](https://auth0.com/docs/troubleshoot/product-lifecycle/deprecations-and-migrations/migrate-nodejs-22) for more details on how to migrate to Node 22. https://auth0.com/changelog#3ZrVbbCnPj73zLAtsYJ2DT Wed, 08 Jan 2025 00:00:00 GMT We are delighted to announce that support for the Client-Initiated Backchannel Authentication (CIBA) flow is now available in Early Access. The CIBA flow works as a *decoupled authentication flow* across two different devices: - Consumption device: initiates the authentication request. - Authentication device: handles end-user authentication, implemented as a custom mobile app which embeds the Guardian mobile SDK. The CIBA flow supports a number of powerful use cases driven by backend client applications, such as: - Customer authentication by headless devices or devices with limited interaction capabilities. - Customer authentication in call centre scenarios. - Authorising sensitive operations on behalf of yourself or a third-party e.g. a customer service agent. To evaluate CIBA for securing your sensitive customer interactions, contact your Technical Account Manager. For more details, check out our [product documentation](https://auth0.com/docs/get-started/authentication-and-authorization-flow/client-initiated-backchannel-authentication-flow). https://auth0.com/changelog#6x1jrek8o6B0jawVrMf4Lz Mon, 06 Jan 2025 00:00:00 GMT We’ve added the **Organization ID** to the [Auth0 Tenant Logs](https://auth0.com/docs/deploy-monitor/logs/log-event-type-codes) for the **Successfully revoked a refresh token (srrt)** event. This enhancement allows you to correlate the organization associated with the revoked refresh token for improved tracking and auditing. https://auth0.com/changelog#3q3spQ0gy65bD3TfJ0H4Pk Tue, 24 Dec 2024 00:00:00 GMT We have increased the max secret value length from 2048 to 4096 to allow for larger secrets to be stored within Actions.  You can [refer to our docs](https://auth0.com/docs/customize/actions/limitations) for further details on Actions limitations. https://auth0.com/changelog#6dU1z4kaQGtbpwBAREKPni Fri, 20 Dec 2024 00:00:00 GMT We're excited to introduce the new 10,000 RPS (100x) tier for Auth0 Private Cloud Performance offering on AWS. This enhanced tier supports a higher volume of authentication requests, complementing the existing 30x and 60x tiers for customers who need high performance thresholds. Please see [Private Cloud documentation](https://auth0.com/docs/deploy-monitor/deploy-private-cloud/private-cloud-on-aws) to learn more. https://auth0.com/changelog#vORFD5pVfw1XjRZJPrig7 Wed, 18 Dec 2024 00:00:00 GMT Auth0 is pleased to announce the Early Access (EA) of enhanced support for customer data recovery. This resilience feature is available to a set of Private cloud customers during EA. It would come handy in the event of customer data loss or data corruption, and would assist customers in meeting regulatory requirements such as European Union’s Digital Operational Resilience Act (DORA). Customer will be able to request restoration of their production Private Cloud space from a backup within the past 14 days. Please refer to [Operational policies](https://auth0.com/docs/troubleshoot/customer-support/operational-policies) documentation for details. https://auth0.com/changelog#4ho5yIJq5H1W4nzGbrqcgT Wed, 18 Dec 2024 00:00:00 GMT The new Bot Detection ML model designed to detect signup attacks is now available for Classic Login and Custom Login implementations. For customers using Classic or Custom login experiences, this enhancement leverages advanced machine learning to identify and block automated signup attacks effectively. For those using New Universal Login, no configuration changes are required. This feature was rolled out for New Universal Login in September, as highlighted in the changelog [here](https://auth0.com/changelog#7o1YXe52Gl7jEYENzFikEn). Below is the demo showcasing how to enable this feature in Auth0 for Classic and Custom Login experiences.  This enhanced security capability is now available to all Enterprise customers with the Attack Protection add-on. The rollout is underway and will be completed in the coming weeks, aligned with individual customer release schedules. For details on activation or to learn more, visit our [documentation](https://auth0.com/docs/secure/attack-protection/bot-detection) or reach out to your account team. We’re here to support you in protecting your systems against evolving threats. https://auth0.com/changelog#5oIM2qgfSDZaSno8B0mhri Wed, 18 Dec 2024 00:00:00 GMT Introducing a new capability within the Security Center Dashboard offering - __Security Center Alerts for Thresholds__ Early Access. This new feature expands on the Security Center metrics and Thresholds to allow Enterprise customers to not only monitor their tenant security but also receive notifications when a threat metric exceeds their predefined thresholds. Customers can now configure __webhook alert notifications__ on security threat metrics and monitor when threats exceed the acceptable value. To learn more Alerts for Thresholds, click [here](https://auth0.com/docs/secure/security-center/security-alerts) https://auth0.com/changelog#1JYqRsMZrhOFfnkDOIwv6R Tue, 17 Dec 2024 00:00:00 GMT We’re excited to announce that all __Customizable Email Templates__ have been styled with a modern look and feel and are now __live__! No verbiage or content has been changed on any of the emails and customers that have customized the email templates are unaffected.  https://auth0.com/changelog#5vaUFTqeuw5MB3mYskvU45 Fri, 13 Dec 2024 00:00:00 GMT Announcing General Availability of Auth0 Dashboard Login Session Management. A feature that allows Auth0 Dashboard admins to view and revoke active dashboard sessions for an added layer of security to the session idle timeout for both our Public and Private Cloud customers.  Click [here](https://auth0.com/docs/get-started/dashboard-profile/auth0-dashboard-login-session-management) to learn more about Auth0 Dashboard Login Session Management. https://auth0.com/changelog#1Yusq2sGxZU8e0ek2VQKfK Fri, 13 Dec 2024 00:00:00 GMT Single Sign On (SSO) allows one set of credentials to access multiple resources through a centralized identity provider (IdP). Auth0 Teams security policies allows team owners to configure and implement authentication rules that adhere to their organization's IT security policies for access to infrastructure systems or applications. Announcing in beta the ability for team owners to self-configure and connect their IdP to provide SSO for dashboard administrators.  Auth0 Teams Self-Service SSO beta is currently limited to Public Cloud Enterprise customers. Interested in the BETA? Reach out to your Technical Account Manager to enrol in our beta program. https://auth0.com/changelog#2bUwE7f6OMP2XZXGbnqrUf Thu, 12 Dec 2024 00:00:00 GMT We’re excited to announce that we’ve __increased the number of metadata slots for Organizations from 10 to 25__! This enhancement provides you with more flexibility to store and manage additional data within your organization, enabling a more customized and efficient approach to your workflows. To learn more about Organizations, click [here](https://auth0.com/docs/manage-users/organizations). https://auth0.com/changelog#4cxBs6aYqPxuXS5BErj2SQ Wed, 11 Dec 2024 00:00:00 GMT We are delighted to announce that Customer Managed Keys is now generally available. This solution within the Highly Regulated Identity solution suite enables organizations to comply with cryptographic key-related security policies for data protection. Customer Managed Keys provides customers with two options for key management: Control Your Own Key and Bring Your Own Key. With Control Your Own Key, you can manage the lifecycle of the Tenant Master Key according to your security policy. Bring Your Own Key allows you to maintain ownership of the Root Key that protects the encryption key hierarchy. These features enable compliance with cryptographic key-related security policies for data protection.  You can read more about this in our [product documentation](https://auth0.com/docs/secure/highly-regulated-identity/customer-managed-keys). https://auth0.com/changelog#166ZJIqF1s245oGxE0LbDX Tue, 10 Dec 2024 00:00:00 GMT We added a new API command available in the Password Reset / PostChallenge trigger. This API allows Tenant Developers to specify the url to redirect a user to upon the completion of a password reset on Universal Login. Here is an example of using the command to redirect the user to a sample url after a successful password reset: exports.onExecutePostChallenge = async (event, api) => { api.transaction.setResultUrl('https://yourapp.yourdomain.com/profile'); }; You can learn more in our [reference documentation.](https://auth0.com/docs/customize/actions/explore-triggers/password-reset-triggers/post-challenge-trigger/post-challenge-api-object) https://auth0.com/changelog#C6DchsoFTLQF1kDyuyKnD Tue, 10 Dec 2024 00:00:00 GMT We’ve introduced a new Batch Check endpoint to the Okta FGA API, allowing clients to batch multiple authorization checks into a single request. This enhancement reduces the network latency associated with previously needing to performing multiple Check API requests in parallel, resulting in faster and more efficient requests for applications with high authorization demands. For more details, refer to the [Okta FGA Batch Check documentation](https://docs.fga.dev/integration/perform-check#03-calling-batch-check-api). https://auth0.com/changelog#4x71B72kxmb8KKeF7oBtHt Mon, 09 Dec 2024 00:00:00 GMT We’re thrilled to announce that our fourth-generation Bot Detection has been upgraded to incorporate additional aggregated tenant-level insights. This upgrade strengthens bot detection across both public and private cloud environments, providing a more precise and robust defense against malicious activity while ensuring a seamless and secure experience for all users. This enhanced security capability is now available to all Enterprise customers with the Attack Protection add-on. The rollout is currently underway and will be completed in the coming weeks, aligned with individual customer release schedules. For details on activation or to learn more, please refer to our [documentation](https://auth0.com/docs/secure/attack-protection/bot-detection) or reach out to your account team. We are here to support you in protecting your systems against evolving threats. https://auth0.com/changelog#3d5bBhUBr9gq6l0OgMlIS Thu, 28 Nov 2024 00:00:00 GMT Auth0 is excited to announce that __Self-Service SSO__ is now in __General Availability__. Our Self-Service SSO feature is designed to simplify and streamline the administrative tasks that are essential for every B2B SaaS product. By equipping your business customers to configure their own Single Sign-On setups, we provide them with a seamless, intuitive experience—eliminating the need for complex IT involvement. This flexibility not only enhances security but also improves the overall user experience, giving businesses more control and agility while reducing overhead.  This feature is available for B2B Professional, Enterprise and Enterprise Premium customers. [Click](https://auth0.com/docs/authenticate/enterprise-connections/self-service-SSO) here to learn more. https://auth0.com/changelog#44PDb6M3wb0Ah2S0lWaAzr Mon, 18 Nov 2024 00:00:00 GMT We have transitioned the Rules and Hooks features to a read-only mode in all public cloud environments as part of their [announced deprecation](https://auth0.com/docs/troubleshoot/product-lifecycle/deprecations-and-migrations#rules-and-hooks-deprecations) plan. You can still disable, delete or re-enable an existing Rule or Hook. You can also add or remove Rules settings (for updating stored secrets) or Hook secrets but you will no longer be able to modify their script. If this impacts you, our recommendation is to migrate to Actions. Refer to the following docs for more details: - [Migrate Rules to Actions](https://auth0.com/docs/customize/actions/migrate/migrate-from-rules-to-actions) - [Migrate Hooks to Actions](https://auth0.com/docs/customize/actions/migrate/migrate-from-hooks-to-actions) https://auth0.com/changelog#1xsQFhFAzHA8PAEUYO64H5 Mon, 18 Nov 2024 00:00:00 GMT Hello everyone, We're thrilled to announce the beta release of nextjs-auth0 SDK v4! This new version brings significant improvements, new features, and fixes to enhance your development experience. ### Important Notice About v3 As we move forward, **we will not be updating v3 of the SDK to support Next.js 15**. This allows us to focus on v4, which offers a wealth of new features and improvements. This will also enable us to support future releases of Next.js faster and with more confidence. We understand this may pose challenges, and we're here to help. v3 will continue to receive critical security updates for 6 months after the GA of v4. ### Highlights of v4 Beta - Middleware-Based Authentication: Improved compatibility and reduced maintenance by moving to middleware-based handlers. - Enhanced Security: Switched to encrypted cookies and removed outdated cookie logic. - Resolved State Mismatch Issues: Fixed long-standing issues reported by the community. - Improved Session Management: Implemented rolling sessions and eliminated cookie chunking. - Improved Hooks and Helpers: Introduced useUser(), getAccessToken(), and getSession() for easier data fetching and session handling. - Stateful Sessions with Custom Databases: Support for "Bring Your Own Database" (BYODB). - Compatibility with Next.js 15, Turbopack, and React 19 - Simplified architecture, API, and configuration options ### Try It Out and Provide Feedback We invite you to explore the beta release and share your feedback to help us improve before the general availability release. We are currently targeting a general availability release by the end of December. **Beta Release:**[ v4.0.0-beta.3](https://github.com/auth0/nextjs-auth0/releases/tag/v4.0.0-beta.3) ### Need Help with Migration? If you encounter challenges migrating to v4, please don't hesitate to[ open an issue](https://github.com/auth0/nextjs-auth0/issues) and our team will assist you. We're committed to making the transition as smooth as possible. Thank You for Your Support We appreciate your understanding as we focus on making v4 the best it can be. Your feedback is invaluable, and we're here to support you every step of the way. Happy coding! 🚀 — The Auth0 DX SDK Team https://auth0.com/changelog#2o4tKtDIj8rkVTLtPFVnMP Thu, 14 Nov 2024 00:00:00 GMT Auth0 is excited to announce the following updates to Self-Service SSO: 1. __Custom Introduction Text:__ You can now customize the welcome message on the wizard's landing screen, aligning the experience with your brand’s tone and engaging users right from the start. 2. __PingFederate Support:__ We've expanded our list of supported Identity Providers (IdPs) to include PingFederate, giving you more flexibility in your authentication options. 3. __Revoking SSO Access Tickets:__ Our [new API endpoint](https://auth0.com/docs/api/management/v2/self-service-profiles/post-revoke) lets you revoke SSO access tickets at any time. 4. __Updated Ticket Expiration:__ Access tickets are now consumed only when a connection is created, enabled or edited — like when updating SAML or OIDC details — avoiding issues with scanners opening them prematurely. 5. __Customized Login Experience:__ When creating a [ticket](https://auth0.com/docs/api/management/v2/self-service-profiles/post-sso-ticket), you can now define the login experience — adding optional parameters for Home Realm Discovery, Organization Auto-Membership, and more to tailor every step of the way. To learn more, see the [Self-Service SSO documentation](https://auth0.com/docs/authenticate/enterprise-connections/self-service-SSO). https://auth0.com/changelog#fIOOykW0Bo8oGnweYsrpT Thu, 14 Nov 2024 00:00:00 GMT We are excited to announce that our fourth-generation Bot Detection has been upgraded with user-agent signals, and is now integrated into our proprietary machine learning model. This enhancement improves our capability to detect and thwart bot activity, further strengthening protection against malicious traffic without adding any additional friction for legitimate users. This security feature is available to all Enterprise customers with the Attack Protection add-on. We are currently rolling out this enhancement and expect to complete the process within the next few weeks, aligned with your individual release schedules. For activation details or further information, please check our [documentation](https://auth0.com/docs/secure/attack-protection/bot-detection) or reach out to your account team. We’re here to support you in safeguarding your systems against evolving threats. Thank you for trusting us with your security needs. https://auth0.com/changelog#2kb02dZ0aUVSeiXFCWh94l Wed, 13 Nov 2024 00:00:00 GMT Actions now supports the following APIs within the `post-login` trigger. - `api.samlResponse.setRelayState(relayState)` - `api.samlResponse.setIssuer(issuer)` You can see all available API methods supported within the `post-login` trigger along with details on these methods [from this link](https://auth0.com/docs/customize/actions/explore-triggers/signup-and-login-triggers/login-trigger/post-login-api-object). https://auth0.com/changelog#44gTuD39RuPAkscToASHXh Thu, 07 Nov 2024 00:00:00 GMT The possibility to __scope machine-to-machine access to a specific organization is now Generally Available__. This feature allows you to define the organizations that a given application can access for each API via the [Client Credentials Flow](https://auth0.com/docs/get-started/authentication-and-authorization-flow/client-credentials-flow).  You can easily __define and enforce access to one, many, or all the organizations in your tenant and securely expand the reach of your SaaS APIs__ to more use cases and scenarios, making sure sensitive data and operations are only accessible to authorized parties. After configuring the access rights for your API, you simply have to inspect the `org_id` in access tokens of incoming requests, independently of whether they come from third-party applications or your own applications. This feature is available for B2B Professional, Enterprise and Enterprise Premium customers. To learn more, read the [reference documentation](https://auth0.com/docs/manage-users/organizations/organizations-for-m2m-applications). https://auth0.com/changelog#53Xa7DWGNjfp1xR0H3IJj7 Fri, 25 Oct 2024 00:00:00 GMT Auth0 is delighted to launch __Private Performance Burst AWS - 30x (3000 RPS*) and 60x (6000 RPS)__ offerings for Private Cloud deployments on AWS. These cost-effective Private Performance options scale the Authentication traffic up to 3000 RPS and 6000 RPS respectively for 80 hours a month, and allow usage up to 1500 RPS and 3000 RPS respectively for the remaining duration. The elevated transaction capacity comes handy for planned and unplanned traffic spikes, e.g. during product launches, large media events, seasonal activities, and unpredictable usage peaks. The Private Performance Burst offering is just another milestone in our commitment to providing the functionality and flexibility our beloved customers need. Please refer to [Private Performance Burst documentation page](https://auth0.com/docs/troubleshoot/customer-support/operational-policies/rate-limit-policy#private-performance-burst) for more information. *RPS: Requests Per Second https://auth0.com/changelog#1lm0834e2c4KIfUnzq832G Wed, 23 Oct 2024 00:00:00 GMT The [Okta FGA](https://fga.dev) authorization modeling language allows defining conditions that can be used to express certain ABAC authorization policies. Previously, if you wanted to take advantage of that feature you needed to use the [Okta FGA API](https://docs.fga.dev/api/service) or the [FGA CLI](https://docs.fga.dev/getting-started/cli). Now, with the [Okta Fine Grained Authorization Dashboard](https://dashboard.fga.dev "Okta FGA Dashboard"), you can create conditional relationship tuples and specify context parameters in assertions, making it easier to fully define ABAC-like conditions directly within the dashboard. For more details, refer to the [Okta FGA dashboard documentation](https://docs.fga.dev/intro/dashboard#conditions). https://auth0.com/changelog#4GnZ402Djv8tv1uFfKE4XA Wed, 09 Oct 2024 00:00:00 GMT The Google Workspace Enterprise connection now supports an **Extended Group Attribute Format** option. When selected, group memberships are written to the Auth0 user profile as an array of JSON objects containing the group unique ID, group name, and group email address for each group retrieved from Google. For more information, see [Connect Your App to Google Workspace](https://auth0.com/docs/authenticate/identity-providers/enterprise-identity-providers/google-apps). This feature is immediately available in the public cloud and will be rolled out to private cloud environments in the next few weeks as per the release pipeline. https://auth0.com/changelog#HYcmSunb8QSkT16N1rFN5 Mon, 07 Oct 2024 00:00:00 GMT Auth0 is excited to introduce the following updates to Self-Service SSO: 1. Tenant admins now have the ability to choose which IdPs to display when their customers are setting up an SSO profile through the set up wizard, making the entire process more efficient and customizable. 2. We've added support for Keycloak expanding the available IdPs. 3. When no user attributes exist in the SSO profile, we skip the Claims Mapping instructions in the SSO wizard. 4. When testing the connection, the JSON has been formatted to show on multiple lines. To learn more, see the [Self-Service SSO documentation](https://auth0.com/docs/authenticate/enterprise-connections/self-service-SSO). https://auth0.com/changelog#3algyxnXQC2c5IaV1BEjuL Wed, 02 Oct 2024 00:00:00 GMT In our continuing effort to improve our security posture, Auth0 will no longer retain closed support tickets older than 24 months. Closed support tickets older than 24 months will be deleted on October 16. To view your support tickets, you can navigate to [https://support.auth0.com/tickets](https://support.auth0.com/tickets) . For questions or issues on this change, please reach out to [Support](https://support.auth0.com/). https://auth0.com/changelog#26FQraKOkaff8RNS9KGsyN Wed, 02 Oct 2024 00:00:00 GMT We’re excited to announce that __Custom Phone Providers__ in is now in __Early Access__. With this feature, customers can configure custom phone providers and customize phone messages associated with using phone number as an identifier. Using a custom phone provider for MFA and passwordless phone messages is planned for a later release. This early access release enables you to: - Configure your preferred phone provider for phone messages - Leverage various contexts for using different providers, including organization, client, user, and more We encourage you to get started with Custom Phone Providers today by checking out our [documentation](https://auth0.com/docs/customize/phone-messages/configure-phone-messaging-providers/configure-a-custom-phone-provider) and if you have any feedback, give us a shout in our [community channel](https://community.auth0.com/)! https://auth0.com/changelog#2ZTFNd9CQxFZEGuPcNBAvy Mon, 30 Sep 2024 00:00:00 GMT Auth0 is delighted to introduce the __United Arab Emirates (UAE)__ as the latest __AWS region for Private Cloud__ deployments. We are committed to enhancing our presence in the Middle East. The UAE joins Bahrain as the second AWS region for Auth0 Private Cloud in this part of the world. This expansion opens up new possibilities in the UAE, where Private Cloud deployment is already supported on Azure. https://auth0.com/changelog#RwR20l4xOR2jB3pb0tEgq Fri, 27 Sep 2024 00:00:00 GMT Okta CIC is excited to announce that Universal Login now satisfies out of the box or provide configurability to satisfy the guidelines for the [EN 301 549](https://www.etsi.org/human-factors-accessibility/en-301-549-v3-the-harmonized-european-standard-for-ict-accessibility) standard. We have updated our VPAT to include this information and it is available on [Okta.com](https://www.okta.com/accessibility/). By ensuring that Universal Login is accessible to all users, we enable our customers to confidently secure their applications with accessible authentication. See our [online documentation](https://auth0.com/docs/authenticate/login/auth0-universal-login#accessibility) for more details. https://auth0.com/changelog#3usfvu6YBZi85bkZKDxCJ0 Fri, 27 Sep 2024 00:00:00 GMT We have introduced __Email OTP Verification__ as a new method for email verification, available in Early Access. Expect to see the feature in your environments within the next 1-4 weeks. With __Email OTP Verification__, users are required to enter a One-Time Password (OTP) sent to their email during the signup or password reset process. This ensures email verification happens __before__ account creation or password reset is completed, offering enhanced security and reducing the chances of mistyped or fake email accounts. __Key Highlights:__ - __Synchronous Email Verification:__ Prevents account creation or password reset until users verify their email via OTP. - __Improved Security:__ Helps prevent fake accounts, ensures accurate email addresses, and discourages phishing through email links. - __Applicability:__ Available for both email verification during signup and password reset challenges. __Prerequisites:__ - Must be using __Universal Login__. - Connection must have __Flexible Identifiers__ enabled. - Email OTP is only compatible when using the __Identifier First Authentication Profile__. To enable this feature, navigate to the __Attributes__ tab on any connection and change the __Verification Method__ under the __Email__ attribute settings from __Verification Link__ to __OTP__.  https://auth0.com/changelog#59iYsCKQa7DzLBhXbrkW3F Fri, 27 Sep 2024 00:00:00 GMT **What’s Changing:** We are improving the user experience when adding or updating identifiers (email, phone number, or username) in profiles. **Key Updates:** 1. **New Identifier**: When a new identifier type (email, phone, or username) is added to a user profile where one **does not already exist**, the user’s session **will not be terminated**. This allows for a smoother **progressive profiling** experience, where users can add new identifiers without disruption. 2. **Changing Existing Identifier**: When an existing identifier is modified, the user’s session **will terminate**, and the user will have to re-authenticate. This ensures security best practices are followed when updating key account information. **Why This Matters:** Previously, any update to an identifier (whether adding or changing it) would terminate the user’s session. This could lead to a poor experience, especially during progressive profiling, where users are expected to update or add information without being logged out. With this update, customers can offer a seamless experience for users adding new identifiers while maintaining strict security for changes to existing identifiers. **Rollout Timing:** This change will be rolled out progressively over the next 1-4 weeks. Customers can expect to see the updated session handling behavior in their environments during this period. **Action Required:** No immediate action is required from customers, but it is recommended to review any user flows that involve the addition or modification of identifiers to ensure they align with this change. https://auth0.com/changelog#tKdrsqdxsu6VXwxjtgAJv Wed, 25 Sep 2024 00:00:00 GMT We are happy to announce that we just added two new endpoints to our Session Management APIs: [POST /api/v2/users/{id}/revoke-access](https://auth0.com/docs/api/management/v2/users/user-revoke-access) – This endpoint allows you to revoke sessions for a user and decide if you want to revoke the associated Refresh Tokens. [POST /api/v2/sessions/{id}/revoke](https://auth0.com/docs/api/management/v2/sessions/revoke-session) – This endpoint will revoke the session and all its related Refresh Tokens. Please refer to the [Auth0 Management API](https://auth0.com/docs/api/management/v2/introduction) for more information. https://auth0.com/changelog#381kyZEXvNtDDtmThhooDh Wed, 25 Sep 2024 00:00:00 GMT Auth0 Actions dashboard experience & documentation has been updated to consolidate around the concept of "Triggers" (as opposed to our previous mix of Flows and Triggers). A trigger represent points in the Auth0 process where Actions can be added. We believe this change will make it easier for you to identify available customization options (now simply labelled as [triggers](https://auth0.com/docs/customize/actions/explore-triggers)) and how they can be leveraged to personalize your identity needs.  *Please note that this change does not have any impact on the current functional behaviour of Actions within Auht0.* https://auth0.com/changelog#4VRbIKzoiaecSdBG9UG4bD Tue, 24 Sep 2024 00:00:00 GMT Continuous Session Protection is now generally available for enterprise customers, providing powerful tools to dynamically manage Sessions and Refresh Tokens within Auth0 Actions. This feature offers flexible options to configure expiration settings, access additional session and token data, and revoke sessions when necessary, enhancing security and control. Key benefits of Continuous Session Protection include: - Dynamic Session and Token Expiration: Configure custom absolute and idle timeouts for Sessions and Refresh Tokens using the new setExpiresAt(Date) and setIdleExpiresAt(Date) methods. These settings can be applied across users, organizations, or specific connections to meet your security and compliance needs. - Enhanced Security with Revocation: Revoke Sessions and Refresh Tokens programmatically using Actions, based on custom logic or risk assessments. This allows you to take immediate action when suspicious behavior is detected or when tokens no longer meet your security policies. - Comprehensive Session and Token Insights: Access additional session and refresh token attributes within Actions, enabling you to make more informed, data-driven decisions for managing user sessions. - These features allow enterprise customers to dynamically improve their security posture by customizing session behavior, enforcing shorter expiration times for high-risk roles (such as administrators), and revoking tokens when necessary to mitigate risks. To learn more, visit the product documentation: [Continuous Session Protection](https://auth0.com/docs/secure/continuous-session-protection)  https://auth0.com/changelog#5AJRElXf1TTPEd4PhlPwC8 Thu, 19 Sep 2024 00:00:00 GMT We're happy to announce SaaStart: a complete B2B SaaS reference application built using Next.js, Radix UI and Auth0 by Okta. Clone [the repo](https://github.com/auth0-developer-hub/auth0-b2b-saas-starter) to get a head start on the capabilities that you'll need to support enterprise customers of your SaaS app - like multi-tenant user management and access controls, security policies, self-service Single Sign-On configuration and more... Give us a holler in [the Auth0 community](https://community.auth0.com/t/saastart-b2b-saas-reference-app/136654) if you have any questions!  https://auth0.com/changelog#XI8fwHVlNCGzDvsAqDMvC Thu, 19 Sep 2024 00:00:00 GMT **Passwordless Connection Support** Universal Login now supports customizing the passwordless signup and login authentication flows, allowing customers to address their unique data capture, security, and compliance requirements when users authenticate with email and SMS one-time passwords. See our [online documentation](https://auth0.com/docs/customize/login-pages/universal-login/customize-signup-and-login-prompts) for more information, instructions and examples. **Dev Tooling support for the Partials API** Auth0’s CI/CD tooling (Auth0 CLI, Deploy CLI, Terraform Provider) now fully supports the Partial API including the new Passwordless prompts. As a bonus, Partials can now also be edited using Auth0 CLI’s UL Customize interface. Run `auth0 ul customize` in your terminal to see it in action. To access these new capabilities, upgrade to the latest versions of Auth0 CLI, Deploy CLI, and Terraform Provider.  https://auth0.com/changelog#VGNKvp0wOwJrdIuK0BpWd Wed, 18 Sep 2024 00:00:00 GMT You are now able to individually test a [Custom Database script](https://auth0.com/docs/authenticate/database-connections/custom-db) for a specific Node runtime version.  This will help to validate script changes against a target runtime version before you modify the default global tenant configuration for [Extensibility runtime](https://auth0.com/docs/get-started/tenant-settings#extensibility). You can read more about how to use this feature [in our documentation](https://auth0.com/docs/authenticate/database-connections/custom-db/custom-database-connections-scripts/environment#testing-a-specific-runtime-version). https://auth0.com/changelog#5ib02GuRv9Smc2mOSqq7Ts Tue, 17 Sep 2024 00:00:00 GMT We’re excited to announce that Forms is now generally available in Okta Customer Identity Cloud! This new feature allows you to extend your login and signup flows with additional steps and business logic.  What's new: 1. __Pass data between Forms and Actions:__ now you can easily [inject server-side data](https://auth0.com/docs/customize/forms/render#inject-custom-data-with-shared-variables-server-side-) from Actions to Forms, and [use the collected data](https://auth0.com/docs/customize/forms/render#fields-and-shared-variables-data-in-actions) in Forms in your Actions. 2. __New form components:__ [custom fields components](https://auth0.com/docs/customize/forms/custom-field-components) to create your own fields UI with code, image block to personalize your form adding logos or images, and HTML block to customize it with code. 3. __Organizations support:__ forms now inherit organization branding, and there is available [context data](https://auth0.com/docs/customize/forms/variables#available-variables) about the organization you're using. 4. __Management API:__ create and manage forms using the Management API. 5. __Other changes:__ added new templates, rich text editor improvements, and new masking options for your flows. Learn more: - [Product documentation.](https://auth0.com/docs/customize/forms) - [Templates.](https://developer.auth0.com/resources/templates) - [Blog Post.](https://auth0.com/blog/auth0-forms-go-ga/) https://auth0.com/changelog#sBMFPDMRYxo61vnu9G7oH Tue, 17 Sep 2024 00:00:00 GMT We’re excited to announce that support for [Okta Universal Logout](https://help.okta.com/oie/en-us/content/topics/itp/universal-logout.htm) in Okta Customer Identity Cloud is now in Limited Early Access! Okta Universal Logout is based on the [Global Token Revocation](https://www.ietf.org/archive/id/draft-parecki-oauth-global-token-revocation-02.html) specification and allows security incident management tools [Okta Identity Threat Protection](https://www.okta.com/products/identity-threat-protection/) to send back-channel requests to revoke application users' sessions and refresh tokens when they identify a change in risk. With this feature, customers who use [Okta Workforce Connections](https://auth0.com/docs/authenticate/identity-providers/enterprise-identity-providers/okta) in Auth0 no longer need to build their own Global Token Revocation endpoints to support Universal Logout. Simply enable it for your Okta Workforce connection and provide the endpoint URL to the Okta Workforce administrator. To enable the Limited Early Access release in your Auth0 tenant, please contact your Technical Account Manager to request access. https://auth0.com/changelog#4ICbasDeZ41t3ER3LFYwXJ Mon, 16 Sep 2024 00:00:00 GMT We’re excited to announce the introduction of support for multiple Self-Service SSO profiles! This new feature allows you to customize Self-Service SSO profiles configurations to meet your diverse needs, including different required attributes and branding. With this update, you can now tailor SSO setups more precisely to fit your company's unique requirements. Learn more about Self-Service SSO in the [product documentation](https://auth0.com/docs/authenticate/single-sign-on/self-service-SSO "product documentation"). https://auth0.com/changelog#7dDom9KCNEKxCxeUa9gcPR Thu, 12 Sep 2024 00:00:00 GMT Within the Security Center Dashboard offering, customers can now set [metric thresholds](https://auth0.com/docs/secure/security-center/security-alerts). This new feature provides Enterprise customers with an enhanced proactive capability around the various Security Center monitors they track. Customers can now configure thresholds on security threat metrics and monitor when threats exceed the acceptable value. The feature is available in all Public cloud environments and rolling out to Private spaces throughout the next few weeks. https://auth0.com/changelog#3ZqzIY4EVn7T0OiwbKoLxC Thu, 05 Sep 2024 00:00:00 GMT We are excited to announce that our Bot Detection feature has been upgraded with a new machine learning model specifically designed to detect and prevent signup attacks. This enhancement integrates advanced ML capabilities into our proprietary Bot Detection system, significantly improving the identification of fraudulent account creation attempts. This feature is currently available in the New Universal Login experience, providing added security for customers utilizing our latest UI. For customers using the Classic Login or custom UI, we are evaluating options to extend these capabilities in the future. As always, to activate Bot Detection or if you require more detailed information, please visit our [online documentation](https://auth0.com/docs/secure/attack-protection/bot-detection) or contact your account team. We are here to assist you in ensuring your systems remain secure against evolving threats. https://auth0.com/changelog#7o1YXe52Gl7jEYENzFikEn Fri, 30 Aug 2024 00:00:00 GMT Okta FGA has now two deployment options: public cloud and private cloud. The public cloud option is a multi-tenant SaaS service available in three geographies: the United States, Europe, and Australia, offering a highly available multi-region deployment. The private cloud option, on the other hand, is tailored for enterprises seeking dedicated resources. Okta FGA Private Cloud leverages the same architecture principles that have been battle-tested with Auth0 for over two years. Private Cloud for Okta FGA has the following benefits: - Higher RPS: Private cloud instances are optimized for high request-per-second (RPS) performance, scaling up to five times the average RPS based on your application’s needs. - High Availability: Okta FGA for Private Cloud is always deployed in two AWS regions with active-active data replication, minimizing the chances of being impacted by an AWS region outage. - Data Residency and Compliance: Deploy your Private Cloud environment in any AWS region to meet specific data residency and compliance requirements. Initial regions include the US, Germany, Ireland, UK, France, Japan, India, Singapore, Australia, and Brazil. - Reduced Latency: Choose the AWS region closest to your application servers, which will significantly reduce latency for faster access control checks. - Multi-Geography Deployments: Businesses can replicate the same authorization data across multiple regions worldwide, allowing them to maintain low-latency authorization services even for globally distributed applications. For example, a company can have the same data in the US, EU, and Australia, have their authorization data replicated across all regions, and have their applications routed to the closest region. - Automated, Hardened Release: Benefit from automated weekly releases that are previously validated in Okta’s public cloud deployments. - Centralized Management: Customers can manage both private and public cloud instances seamlessly from the Okta FGA dashboard. Learn more in the [product documentation.](http://docs.fga.dev/okta-fga-private-cloud) https://auth0.com/changelog#1aIc85FS2BgJO8S58hTWtL Fri, 30 Aug 2024 00:00:00 GMT We are pleased to announce that developers using Okta FGA now have a way to specify their required consistency level when querying Okta FGA. To minimize latency, Okta FGA uses two levels of caching that can result on permissions changes not being reflected in authorization queries for up to 20 seconds. All query APIs (Check, Read, ListObjects, ListUsers, Expand) now have an additional optional parameter with two possible values: - __MINIMIZE_LATENCY__ (default): Okta FGA will try to minimize latency (e.g. by making use of the cache) - __HIGHER_CONSISTENCY__: Okta FGA will try to optimize for stronger consistency (e.g. by bypassing cache) When using HIGHER_CONSISTENCY, latency will be higher as Okta FGA will ready directly from the database. Developers need to make the trade off between consistency and latency depending on the use case. All SDKs were updated with support for the new parameter. You can learn more in the [Okta FGA documentation](http://docs.fga.dev/writing-data/consistency-modes). https://auth0.com/changelog#5qldEEHTfz5MVEIaY566ml Fri, 30 Aug 2024 00:00:00 GMT __[Prioritized Log Streams](https://auth0.com/docs/secure/security-center/prioritized-log-streams)__ is now Generally Available (GA) Now, Enterprise customers can stream a predefined set of security risk-related log events through a dedicated architecture with higher confidence. Customers can stream events to SIEM tools, monitor, and take action on Security events without interruption when there is an attack on the customer’s tenant or abnormally high user activity. The feature is available in all Public cloud environments and rolling out to Private spaces throughout the next few weeks. https://auth0.com/changelog#13F3tuosUypzOI4FcOu9Yp Fri, 30 Aug 2024 00:00:00 GMT Introducing a new capability within the Security Center Dashboard offering - [__Security Center Thresholds__](https://auth0.com/docs/secure/security-center/security-alerts) Early Access. This new feature provides Enterprise customers with an enhanced proactive capability around the various Security Center monitors they track. Customers can now configure thresholds on security threat metrics and monitor when threats exceed the acceptable value. The feature is available in all Public cloud spaces and will roll out to private spaces with the General Availability announcement. https://auth0.com/changelog#1clbNR5RVLAleCElIbKHg1 Wed, 28 Aug 2024 00:00:00 GMT Following on the objective to improve the capabilities to dynamically manage Sessions and Refresh Tokens, we are happy to announce that we have added new methods to control the expiration of Sessions and Refresh Tokens using Actions. Now you can control the absolute and inactivity timeouts with the new `setExpiresAt(Date)` and `setIdleExpireAt(Date)` methods, available for post-login Action objects `api.session` and `api.refresh_token`. They can be used in different use cases, for example, you can improve your security posture by enforcing shorter expiration times for administrators, specific Connections or Organizations. To learn more, read our public docs: [Sessions with Actions](https://auth0.com/docs/manage-users/sessions/manage-sessions-actions) and [Refresh Tokens with Actions](https://auth0.com/docs/secure/tokens/refresh-tokens/manage-refresh-tokens-actions). They are now available in Private Early Access. If you are an Enterprise customer, please reach out to your Technical Account Manager (TAM) to request access.  https://auth0.com/changelog#32BVhYejHO0i1NYhjrNNQS Tue, 27 Aug 2024 00:00:00 GMT We’re excited to announce that __Self-Service SSO__ on Customer Identity Cloud, powered by Auth0 is now in __Early Access__. This capability aims to streamline the administrative tasks that are critical for every B2B SaaS product. Our Self-Service SSO feature, provides our business customers' customer with a flexible, user-friendly experience for configuring their own single sign-on setups. These capabilities are now available in Early Access. If you are a B2B Professional or Enterprise customer, please reach out to your Auth0 account contact to request access.  https://auth0.com/changelog#6yUU9XNKYCS1zzW9FMm9Xh Fri, 23 Aug 2024 00:00:00 GMT Starting __February 23rd, 2025__, Auth0 will begin removing the ability to use the legacy, non-compliant UI for Universal Login. The new WCAG compliant version ensures that end users, including those who rely on assistive technology, can access and engage with a customer’s product or service. Read our [Universal Login Accessibility documentation](https://auth0.com/docs/authenticate/login/auth0-universal-login#accessibility) for more information. https://auth0.com/changelog#Gl5Iau4ISLOSGuAUqmYe0 Wed, 21 Aug 2024 00:00:00 GMT We're excited to announce the Early Access launch of Guide - an Okta AI powered chatbot here to answer your questions about the Auth0 platform. ### What is Guide? Guide is your new go-to for quick answers on all things Auth0. It pulls information from our docs, blog, and community to provide summarized responses and relevant links. You can access Guide by clicking the "Ask Guide" button in the top-right of your Auth0 Dashboard. Just ask your question and let Guide do the work. ### Availability Guide is available to tenants in the US Public Cloud region. Guide will be rolled out to all Public Cloud regions in the near future. https://auth0.com/changelog#43RTfzV8KvAG2lqBKoy8a9 Tue, 20 Aug 2024 00:00:00 GMT Today, we've reduced the minimum character requirement for *Organization Name* and *Organization Display Name* from 3 to just 1 character. Plus, our Organization search has been updated to return exact matches for queries with fewer than 3 characters. https://auth0.com/changelog#eeLptIN0waOspIUZiLLx0 Tue, 20 Aug 2024 00:00:00 GMT Okta CIC is happy to announce the next major version of the React Native SDK. With [react-native-auth0 v4](https://github.com/auth0/react-native-auth0 "GitHub: react-native-auth0 v4"), developers will be able to use advanced biometric authentication to obtain credentials. This new SDK version also makes it possible to switch between domains for authentication. We’re planning to release a GA version later in Q3 with major improvements to the SDK architecture and other new features. ###### What’s new 1. __Advanced Biometric Authentication:__ Use FaceID/Fingerprint to perform device authentication before obtaining credentials. 2. __Domain Switching:__ Dynamically switch domain/clientID to offer a personalised and contextual authentication experience. ###### Learn More 1. [Migration Guide](https://github.com/auth0/react-native-auth0/blob/master/MIGRATION_GUIDE.md#upgrading-from-v3---v4 "Migration Guide") 2. [Implementation Guide: Advanced Biometric Authentication](https://github.com/auth0/react-native-auth0/blob/master/README.md#requiring-authentication-before-obtaining-credentials "Implementation Guide: Advanced Biometric Authentication") 3. [Implementation Guide: Domain Switching](https://github.com/auth0/react-native-auth0/blob/master/EXAMPLES.md#domain-switching "Implementation Guide: Domain Switching") https://auth0.com/changelog#6pWelAu6R7sfd50nzV8V8z Tue, 20 Aug 2024 00:00:00 GMT Okta CIC is excited to announce that Universal Login now satisfies out of the box or provide configurability to satisfy the Web Content Accessibility Guidelines (WCAG) version 2.2 AA! We have published our VPAT and it is available on [Okta.com](https://www.okta.com/accessibility/). By ensuring that Universal Login satisfies the WCAG guidelines, we enable our customers to confidently secure their applications with accessible authentication. See our [online documentation](https://auth0.com/docs/authenticate/login/auth0-universal-login#accessibility) for more details. https://auth0.com/changelog#5baR8FpiDSxj3ERxR7YGC5 Fri, 16 Aug 2024 00:00:00 GMT Introducing a new Log Stream and Security capability, __[Prioritized Log Streams](https://auth0.com/docs/secure/security-center/prioritized-log-streams)__. Now, Enterprise customers can stream a predefined set of security risk-related log events through a dedicated architecture with higher confidence. Customers can stream events to SIEM tools, monitor, and take action on Security events without interruption when there is an attack on the customer’s tenant or abnormally high user activity. This feature is rolling out to public cloud spaces throughout the next couple of weeks https://auth0.com/changelog#2UjO2nIibCkbDsMdTsO6tT Thu, 15 Aug 2024 00:00:00 GMT The [Auth0 Changelog](https://auth0.com/changelog) now contains Release Version Numbers where applicable! Now, Private Cloud customers can view & filter for a specific version within the Changelog directly. Additionally, Private Cloud customers can view an environment's current version and next version from within the [Auth0 Support Center](https://support.auth0.com/) on the 'Private Instances' page and link directly to any feature releases in the Changelog that may be applicable to that version number. Public Cloud customers are not impacted by this change and should continue to use the Auth0 Changelog as they normally do. https://auth0.com/changelog#1JeCJFwhIUGlWC0YCwyWJZ Mon, 12 Aug 2024 00:00:00 GMT Have you ever wondered, as a user of the Auth0 platform, how many active sessions you have for the different Auth0 dashboard applications across your multiple devices? Introducing Auth0 Dashboard Login Session Management, allowing Auth0 Dashboard admins to not only view all active dashboard sessions but also the ability to revoke them. This beta feature provides an added layer of security to session idle timeout for our Public Cloud customers.  https://auth0.com/changelog#74GRx5qrZTRZlTV7QuVphH Thu, 08 Aug 2024 00:00:00 GMT #### What has changed? We have deprecated the "Support Access" Role so that the only tenant member role that now has access to the [“Subscription Tickets”](https://auth0.com/docs/troubleshoot/customer-support/open-and-manage-support-tickets#manage-subscription-tickets-) feature within the Auth0 Support Center are those with the new [Elevated Support Access role](https://auth0.com/docs/get-started/manage-dashboard-access/feature-access-by-role) within the [Role Based Access Control (RBAC)](https://auth0.com/docs/get-started/manage-dashboard-access/add-dashboard-users) feature in the Auth0 Management Dashboard. The Subscription Tickets feature in [Support Center](https://support.auth0.com/) allows access to view and manage **all tickets created by all users across a tenant. The current ‘Support Access’ role is now deprecated.** Tenant Administrators do not automatically inherit the new ‘Elevated Support Access’ role and will need to explicitly add themselves to the role via the Auth0 Management Dashboard to continue to have access to view and manage all tickets across their tenant(s) via the Subscription Tickets feature. **Tenant Administrators and all tenant members will still have access to the Auth0 Support Center to create and manage *their own tickets* without adding any additional roles.** #### Why did we make this change? In order to increase the security of the Auth0 Support Center, the ‘Subscription Tickets’ feature will be tied specifically to the new **Elevated Support Access** role so that access is not automatically inherited by all Tenant Admin users. This prevents roles from being able to see tickets they did not create without explicitly granting them access to do so. #### How are you affected? Tenant Administrators no longer have access to view and manage **all tickets** for your tenant on the ‘Subscription Tickets’ page in the Auth0 Support Center __unless__ the Elevated Support Access role is added to their user. **You will still be able to access the Auth0 Support Center and create & manage the support tickets you created.** #### What action do you need to take? If you have a paid subscription, you can add yourself and any other users who need to see/manage all tickets (even those they did not create) across the tenant to the new **Elevated Support Access** role from the Auth0 Management Dashboard. __You should also review who__ __currently has the legacy ‘Support Access’ role assigned and determine if they should be removed and/or added to have the new Elevated Support Access role.__ If you are currently on a Free plan, there is no action required and this communication is to inform you that you will only be able to view and manage support tickets that you created. #### How can you get additional assistance? We are here to help. Contact us by using the [Auth0 by Okta Support Center.](https://support.auth0.com/) https://auth0.com/changelog#58tFj1QmAmWuR8JfbGaUjT Fri, 02 Aug 2024 00:00:00 GMT Deleting a Team Member from the Teams dashboard removes access to Teams and now deletes the team member from all team tenants they are a member of. However, if you just want to remove access to one or more tenants, you can now do so from the Team Member's details page. Note: Tenant Member Management feature is required. This feature is on by default for all Self Service customers but is configurable for Public Cloud customers and is coming soon for Private Cloud customers. Please refer to the following documentation for more information. 1. [How do you delete a Team Member from a Team and remove access to all tenants?](https://auth0.com/docs/get-started/auth0-teams/team-member-management#delete-an-existing-team-member "Delete a Team Member") 2. [How do you delete a Team Member from one or more tenants?](https://auth0.com/docs/get-started/auth0-teams/tenant-member-management#delete-tenants-membership-with-tenant-member-management "Revoke Tenant Access from Teams.") 3. [I am a Public Cloud Customer; how do I verify that I have the suitable feature turned on to support tenant member management?](https://auth0.com/docs/get-started/auth0-teams/tenant-member-management#turn-on-tenant-member-management "Turning on Tenant Member Management.") Auth0 Teams is getting more exciting new features, and we can't wait to share them with you. https://auth0.com/changelog#4UAHMdQqR7SvZyKBRMM90W Fri, 02 Aug 2024 00:00:00 GMT The Log Stream filters have been updated with a new filter category. This category complements the [SCIM GA announcement](https://auth0.com/changelog#3iRVwR6TAFeSJhqIYwIWK2) and streams out only SCIM tenant logs when SCIM is enabled on the tenant. Through this capability, customers can monitor the full details of all the SCIM requests that Auth0 receives and get notified when a user is created, updated, or deleted using SCIM. This feature is immediately available in the public cloud and will be rolled out to private cloud environments in the next few weeks as per the release pipeline. https://auth0.com/changelog#101raEEhNSlwx8qH1BQixn Thu, 25 Jul 2024 00:00:00 GMT We are excited to announce that our fourth-generation Bot Detection is now enhanced with ASN reputation signals and untrusted IP data. This upgrade integrates ASN and related IP reputation data into our proprietary Bot Detection ML model, specifically targeting scripted attacks where attackers frequently change their IP addresses. This enhancement further improves our ability to detect and thwart bot activities, thereby strengthening protection against malicious traffic. This security feature is available to all our Enterprise customers with the Attack Protection add-on. We are currently rolling out this enhancement and expect to complete the process within the next few weeks, aligned with your individual release schedules. To activate Bot Detection or if you require more detailed information, please visit our [online documentation](https://auth0.com/docs/secure/attack-protection/bot-detection) or contact your account team. We are here to assist you in ensuring your systems are secure against sophisticated threats. https://auth0.com/changelog#3oBtz0qd2mJNzCFdvNJHUE Wed, 24 Jul 2024 00:00:00 GMT We are excited to announce that the Flexible Identifiers feature has transitioned to General Availability (GA). This update brings several key enhancements and improvements: **Key Updates:** - **Better Compatibility with Organizations:** We have improved the signup experience, particularly for users joining organizations via invitation links. The signup flow now collects the password after verifying the phone number, ensuring a smoother and more secure process. - **Username as Sole Identifier Improvements:** You can now allow self-service password reset with Username as the Sole Identifier, in order for this to work the end-user must have a valid email address on their account to receive a password reset email. - **Overall Increased Stability:** Comprehensive testing and refinements have enhanced the reliability and performance of the Flexible Identifiers feature, ensuring a smooth and dependable user experience. **Action Required:** - Conduct thorough testing in a development environment before [activating Flexible Identifiers](https://auth0.com/docs/authenticate/database-connections/activate-and-configure-attributes-for-flexible-identifiers) in your live environment. - Review the [Limitations Page](https://auth0.com/docs/authenticate/database-connections/flexible-identifiers-and-attributes) in our documentation for detailed information on feature constraints. This rollout will be completed over the next 1-4 weeks. We encourage you to explore these new capabilities and enhance your authentication processes. https://auth0.com/changelog#6plwJQ1ijFgBuo5FeFAOGA Tue, 23 Jul 2024 00:00:00 GMT We are delighted to announce that we are adding **27 new languages** to Universal Login’s extensive list of localization options. CIC customers can now localize their authentication journeys with out of the box translations for **78 different languages**! To learn more see the [Support Center article](https://support.auth0.com/notifications/669fb3319c8957e823a343b6) To see the full list of Universal Login localization options checkout our [online documentation](https://auth0.com/docs/customize/internationalization-and-localization/universal-login-internationalization). https://auth0.com/changelog#N24DeD6TQlpaHmd0h7tvP Tue, 23 Jul 2024 00:00:00 GMT We now offer the ability to subscribe via RSS/ATOM Feed for Auth0 Private Cloud Status Page on [status.auth0.com](https://status.auth0.com/). For more information on how to access Private Cloud Status information and subscribe to updates via RSS/ATOM feed, see [this documentation](https://auth0.com/docs/deploy-monitor/monitor/check-auth0-status#check-auth0-status-for-private-cloud). https://auth0.com/changelog#42sqlV4Rzf8Kjr7HJthexv Thu, 18 Jul 2024 00:00:00 GMT We’re excited to announce that Inbound SCIM for Enterprise Connections is now generally available in Okta Customer Identity Cloud! This initial release is tailored for B2B SaaS application developers who need to integrate with enterprise Identity providers that use SCIM 2.0 to manage user accounts in SaaS applications. This includes integrations with Okta Workforce Identity Cloud, Microsoft Entra ID, and other Enterprise identity providers that use SAML or OpenID Connect for user authentication. Developers can follow our configuration guide to see SCIM working in minutes. You can discover more by reading our documentation at [Configure Inbound SCIM](https://auth0.com/docs/authenticate/protocols/scim/configure-inbound-scim). This feature is immediately available in the public cloud and will be rolled out to private cloud environments in the next few weeks as per the release pipeline. https://auth0.com/changelog#3iRVwR6TAFeSJhqIYwIWK2 Thu, 18 Jul 2024 00:00:00 GMT A new User ID Attribute Type menu has been added to the [Microsoft Azure AD connection](https://auth0.com/docs/authenticate/identity-providers/enterprise-identity-providers/azure-active-directory/v2) type, which allows developers to select which Azure AD user attribute is mapped to the Auth0 user_id attribute. The options correspond to the two supported ID types (sub and oid) described in [Microsoft’s ID token claims reference](https://learn.microsoft.com/en-us/entra/identity-platform/id-token-claims-reference#use-claims-to-reliably-identify-a-user). Whereas the Azure AD connection previously only supported the pairwise subject claim (sub), developers can now alternately choose the user object identifier claim (oid) which contains Azure AD’s immutable identifier for the user. When this option is selected, Auth0 writes the user_id value in the following format: waad|{connection-name}|{oid-value} The "oid" option is recommended for all new single-tenant Azure AD integrations. It is also required to achieve full user lifecycle management using Auth0’s [Inbound SCIM](https://auth0.com/docs/authenticate/protocols/scim/configure-inbound-scim) feature with Azure AD. https://auth0.com/changelog#6m1vHmhTkAoQ8aiK2OK01r Wed, 17 Jul 2024 00:00:00 GMT We are delighted to announce Early Access availability of Bring Your Own Key (BYOK) and Control Your Own Key (CYOK) as part of Highly Regulated Identity. - BYOK allows customers to upload and replace their Auth0 environment root key with their own customer provided root key in a secure process, known as a key ceremony. - CYOK allows customers to manage the lifecycle of their customer provided root key directly from the management API. It allows customers to rekey / rotate it according to their key management policies. https://auth0.com/changelog#2TeD0d5DAOmZQQDFIL3fiE Thu, 11 Jul 2024 00:00:00 GMT Auth0 is happy to announce that we have released improved capabilities to manage sessions and refresh_tokens in Actions. Now you can get detailed information on both using event.session and event.refresh_token. Additionally, you can revoke them by using api.session.revoke() and api.refreshToken.revoke() methods. These are powerful building blocks that can help you dynamically manage access for a wide variety of use cases, for example, you can improve your security posture by revoking sessions based on risk assessments. These capabilities are now available in Private Early Access. If you are an Enterprise customer, please reach out to your Auth0 account contact to request access. Your account contact will provide documentation if you are approved for the Private Early Access program.  https://auth0.com/changelog#2AEqpT39ykQYm2IvmvSxR1 Mon, 01 Jul 2024 00:00:00 GMT Machine to Machine Authentication usage [within Quota utilization reports](https://auth0.com/docs/troubleshoot/customer-support/manage-subscriptions/monitor-subscription-usage#quota-utilization "Docs for Quota Utilization") has been updated to improve accuracy with regards to not counting Auth0 Management API tokens. As a reminder, Machine to Machine tokens issued for Auth0 Management API are not counted against your Auth0 Subscription Machine to Machine quota limit. Majority of our users will not see any difference in their usage data while a small number of users will see slightly lower usage from before depending on how they had defined their own custom APIs. We are here to help. Please contact us by using the [Auth0 by Okta Support Center](https://support.auth0.com) if you have any question. https://auth0.com/changelog#3TRlLFRBWqfCHvO9fcuEow Sat, 29 Jun 2024 00:00:00 GMT Okta FGA now provides [a new API endpoint](https://docs.fga.dev/api/service#/Relationship%20Queries/ListUsers) that allows you to list all users who have a specific relationship with a specific resource. For example, you can list all users who can view a particular document. This feature is useful for scenarios such as notifying users of changes to resources or reviewing permissions for auditing purposes. For more information, refer to the [ListUsers API documentation](https://docs.fga.dev/integration/perform-list-users). https://auth0.com/changelog#4m6tiaRXghkzaisJP6ioyk Thu, 27 Jun 2024 00:00:00 GMT Auth0 is pleased to announce that __JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens - [RFC9068](https://datatracker.ietf.org/doc/rfc9068/) is now Generally Available for all customers__. You are now able to opt-in to use the new profile for your Access Tokens on a per-API basis. With this release, we are adopting an Identity industry standard to maximize compatibility and interoperability with other solutions as well as reusability of community tools. Read our public documentation to learn about the [details of the new profile](https://auth0.com/docs/secure/tokens/access-tokens/access-token-profiles) and [how to activate it for the APIs in your tenant(s)](https://auth0.com/docs/get-started/apis/configure-access-token-profile).  https://auth0.com/changelog#6TIsTCk8yfxx6q3697EcZg Mon, 24 Jun 2024 00:00:00 GMT Auth0 is thrilled to announce the General Availability of our latest __Public Cloud environment in Canada__. 🇨🇦🎉 The Public Cloud in Canada is our sixth Public Cloud region (besides US, EU, Japan, Australia, and UK) offering feature-rich, highly secure, resilient, and economical Auth0 solution in a multi-subscriber deployment. This new region enables customers in Canada to utilize our starter Essentials, Professional, and Enterprise tiers while benefiting from lower latencies and meeting data-residency requirements. Customers may choose this Public Cloud region during the tenant creation process. The newly created Auth0 tenant will have "tenant".ca.auth0.com domain name.  https://auth0.com/changelog#2es54tBIDe7Rd3DTiMen9o Tue, 18 Jun 2024 00:00:00 GMT Auth0 is delighted to introduce two new AWS regions for Private Cloud deployments - Hong Kong and Calgary, Canada. This expansion clearly demonstrates our unwavering commitment to meet customers' needs for geographical availability, data residency, and resilience. __Hong Kong Region__: APAC is home to economies with a burgeoning demand for services. The Private Cloud (AWS) region in Hong Kong further enhances our existing extensive presence in APAC, which includes Private Cloud regions in Australia, India, Indonesia, Japan, Singapore, and South Korea as well as Public Cloud regions in Australia and Japan. __Calgary Region__: The Private Cloud (AWS) region in Calgary joins the Montreal AWS region to serve our Canadian customers better. This region offers the following deployment options: - __Primary region__ for new Private Cloud (AWS) deployments in Canada - __Failover region__ for Private Cloud (AWS) GeoHA deployments (e.g. with Montreal AWS region as the primary region, enabling a full GeoHA deployment within Canada) https://auth0.com/changelog#6Er1jksRpvL6AwuvFgiUNR Mon, 17 Jun 2024 00:00:00 GMT We are pleased to announce __General Availability__ of our __Refresh Tokens Management API__ to all our customers with an Enterprise plan. Refresh Tokens API endpoints extend your session management capabilities with access to your user's refresh tokens properties and administrative bulk or individual revocation endpoints. That is specially important for out-of-band session management in applications that do not rely solely on browser cookies. You can learn more in our [product documentation](https://auth0.com/docs/secure/tokens/manage-refresh-tokens-with-auth0-management-api) and [management API](https://auth0.com/docs/api/management/v2) for details. https://auth0.com/changelog#2eNiXmFpBHnHMIhLpTTSAQ Fri, 14 Jun 2024 00:00:00 GMT Today we released support to choose whether self-service Organization signup is supported for Database connections. You can now navigate to Organizations -> “Your Organization” -> “Your Connection” and then select whether you want that database connection to support Organization Signup. Note, this new setting will outweigh the Application level setting for the Database connection. Meaning, you can disable signup support at the Application level, but enable it within the Organization, preventing the signup if an Organization is not present. Additionally, passwordless connections will now support Organization Membership if the Application level has signups enabled and the organization supports just-in-time membership. To learn more, check out the [documentation](https://auth0.com/docs/manage-users/organizations/configure-organizations/enable-connections). https://auth0.com/changelog#1HfyFroFNbwQ3KgCQ0j2mS Tue, 11 Jun 2024 00:00:00 GMT We’ve made the migration from Rules to Actions easier for you! You can leverage the newly launched Actions migration tooling to transition from Rules to Actions leveraging QuickFix to covert Rules’ code to Actions syntax. In most cases, you can simultaneously compare and review code between Rules and Actions, and quickly rewrite into a new Action. We also allow control of the execution sequence of old Rules and new Actions. You can read more about this in our [product documentation](https://auth0.com/docs/customize/actions/migrate/migrate-a-rule-to-an-action).  https://auth0.com/changelog#759cbR0hy2BnCFjQCbndjc Tue, 11 Jun 2024 00:00:00 GMT We have implemented dynamic switching between a select dropdown and an input field in the user creation modal of the Delegated Admin Extension based on the number of connections per tenant. For tenants with over 20,000 connections: - Instead of listing all connections in a select dropdown, a text input field is now displayed where the connection name can be manually typed. For tenants with 20,000 or fewer connections: - No change. A select dropdown is displayed, listing all available connections. https://auth0.com/changelog#3l6Ew6cJanGZYzdnCwRsn8 Fri, 07 Jun 2024 00:00:00 GMT You can now enjoy syntax coloring and validation when editing Okta FGA models and [tests](https://docs.fga.dev/modeling/testing in any JetBrains IDE. Install the JetBrains plugin [from the JetBrains Marketplace](https://plugins.jetbrains.com/plugin/24394-openfga) to get started. https://auth0.com/changelog#4kZeRgU7H4DDvlokdxxcHK Fri, 07 Jun 2024 00:00:00 GMT # What is changing? Starting on **August 5, 2024**, the only tenant member role that will have access to the [“Subscription Tickets”](https://auth0.com/docs/troubleshoot/customer-support/open-and-manage-support-tickets#manage-subscription-tickets-) feature within the Auth0 Support Center will be those with the new [Elevated Support Access role](https://auth0.com/docs/get-started/manage-dashboard-access/feature-access-by-role) within the [Role Based Access Control (RBAC)](https://auth0.com/docs/get-started/manage-dashboard-access/add-dashboard-users) feature in the Auth0 Management Dashboard. The Subscription Tickets feature in [Support Center](https://support.auth0.com/) allows access to view and manage **all tickets created by all users across a tenant. The current ‘Support Access’ role will be deprecated.** Tenant Administrators will not automatically inherit the new ‘Elevated Support Access’ role and will need to explicitly add themselves to the role via the Auth0 Management Dashboard to continue to have access to view and manage all tickets across their tenant(s) via the Subscription Tickets feature. **Tenant Administrators and all tenant members will still have access to the Auth0 Support Center to create and manage *their own tickets* without adding any additional roles.** #### Why are we making this change? In order to increase the security of the Auth0 Support Center, the ‘Subscription Tickets’ feature will be tied specifically to the new **Elevated Support Access** role so that access is not automatically inherited by all Tenant Admin users. This prevents roles from being able to see tickets they did not create without explicitly granting them access to do so. #### How are you affected? Tenant Administrators will lose access to view and manage **all tickets** for your tenant on the ‘Subscription Tickets’ page in the Auth0 Support Center on August 5, 2024. **You will still be able to access the Auth0 Support Center and create & manage the support tickets you created.** #### What action do you need to take? If you have a paid subscription, you can add yourself and any other users who need to see/manage all tickets (even those they did not create) across the tenant to the new **Elevated Support Access** role from the Auth0 Management Dashboard. __You should also review who__ __currently has the legacy ‘Support Access’ role assigned and determine if they should be removed and/or added to have the new Elevated Support Access role.__ If you are currently on a Free plan, there is no action required and this communication is to inform you that you will only be able to view and manage support tickets that you created. #### How can you get additional assistance? We are here to help. Contact us by using the [Auth0 by Okta Support Center.](https://support.auth0.com/) https://auth0.com/changelog#4fPlmxhGlZBTuUtMtmVaC3 Thu, 30 May 2024 00:00:00 GMT We are excited to announce that Bot Detection is now available in the password reset flow. This enhancement further fortifies your security posture, providing the same robust protection against bots and scripted attacks during account recovery as in the signup and login flows. This feature is available to all our Enterprise customers with the Attack Protection add-on. To enable it, go to your Manage Dashboard and configure the “__Enforce CAPTCHA for the password reset flow__" settings. You can choose to show a challenge Always, When Risky (based on our ML model detecting a bot), or Never (monitoring mode). To activate Bot Detection or if you require more detailed information, please visit our [online documentation](https://auth0.com/docs/secure/attack-protection/bot-detection) or contact your account team. https://auth0.com/changelog#1H0HwoggTJh1GSwJH75Gjd Thu, 30 May 2024 00:00:00 GMT We have added support to create a custom email provider connector via a new embedded Action in the Branding -> Email Provider section of the Dashboard. Check out how to get started by visiting: [Configuring a Custom Email Provider](https://auth0.com/docs/customize/email/configure-a-custom-email-provider). This feature is in Open Early Access and we appreciate your feedback on it! https://auth0.com/changelog#HhQuxlz7b2e0SovyB3ZhG Tue, 28 May 2024 00:00:00 GMT We are delighted to announce that Highly Regulated Identity (HRI) is now generally available. HRI incorporates a set of Financial Grade Identity™ features, defined by the OpenID FAPI Working Group and known as “FAPI v1 Advanced“ and including: - Mutual TLS (mTLS) for client authentication and token binding - PAR endpoint for submitting pushed authorization requests - JAR for signed JWT authorization requests - JWE for encrypted Access Tokens - RAR for rich authorization requests This enables customers to elevate the security of their identity solutions, protect user data and privacy, and comply with regulations for Strong Customer Authentication. You can read more about this in our [product documentation](https://auth0.com/docs/secure/highly-regulated-identity). https://auth0.com/changelog#3NQYYctLwW5zyZRXZuVEOF Tue, 28 May 2024 00:00:00 GMT We have updated the Auth0 Dashboard for Private Cloud Environments to enforce Autonomous System Network (ASN) binding for Auth0 Dashboard Administrator sessions with release version v202422.31.0. Please refer to our initial [change log](https://auth0.com/changelog#1fVhnQ1p8DBIGpeOYBtsRN) and [documentation](https://auth0.com/docs/troubleshoot/general-usage-and-operations-best-practices#asn-binding-optimization "ASN Binding optimization") for more information. https://auth0.com/changelog#6MUpL3RwMvmja3H6ydNzxn Wed, 22 May 2024 00:00:00 GMT We are pleased to announce the release of Flexible Identifiers, enhancing your ability to customize authentication processes. This feature allows the use of multiple attributes such as email, phone number, and username as unique identifiers, either individually or in combination, to authenticate users. Including the option to configure __Phone Number as a Sole Identifier!__  __Key Capabilities:__ - Configure multiple identifiers for enhanced security and user experience. - Tailor login experiences to fit specific user and security requirements. __Please Note:__ - Thorough testing in a development environment is recommended before deployment. - We’re Implementing this release in a staggered approach, it could take between 1-4 weeks for these changes to be visible in your dashboard - Review the [Limitations Page](https://auth0.com/docs/authenticate/database-connections/flexible-identifiers-and-attributes) in our documentation for detailed information on feature constraints. Flexible Identifiers are designed to provide a more adaptable, secure, and user-friendly authentication environment. Explore this new feature to enhance your platform's functionality and security. https://auth0.com/changelog#2Le6BQdpCrgx2aUArXqvAp Wed, 08 May 2024 00:00:00 GMT Auth Challenge is the new default Bot Detection response that offers an invisible, frictionless alternative to CAPTCHA. Auth Challenge uses a series of non-intrusive challenges to make it tougher on bots but frictionless for users. Raising costs to attackers while keeping the user interaction as simple as clicking a checkbox! You can read more about Auth Challenge enablement and Bot Detection in our online documentation found [here](https://auth0.com/docs/secure/attack-protection/bot-detection) https://auth0.com/changelog#3kNk2HQJkWzX9iXWjGJtnh Tue, 07 May 2024 00:00:00 GMT We’re excited to announce the launch of our fourth generation Bot Detection. This upgrade combines the capabilities of our CIC machine learning model with third-party bot scoring, significantly enhancing our ability to identify and thwart bots more effectively and safeguarding against malicious traffic. The fourth generation Bot Detection includes a major update in our ML architecture that allows for faster model releases and a range of detection algorithms. Our testing indicates a potential increase in bot detection by up to 25%, all while maintaining minimal impact on legitimate user traffic. This feature upgrade is available to all our Enterprise customers who subscribe to the Attack Protection add-on. We are currently rolling out this enhancement and expect to complete the process within the next few weeks, aligned with your individual release schedules. To activate Bot Detection or if you require more detailed information, please visit our [online documentation](https://auth0.com/docs/secure/attack-protection/bot-detection) or contact your account team. We are here to assist you in ensuring your systems are secure against sophisticated threats. https://auth0.com/changelog#1CULQXuL5p0ZjnfvOXUJXn Tue, 07 May 2024 00:00:00 GMT Forms for Actions is a new visual editor that allows you to build custom forms that can be used to **extend your login and signup flows with additional steps and business logic.**  Some of the key capabilities of Form for Actions include: - **Pre-built components** with frontend and backend validations. - **Custom business logic** with out-of-the-box integrations with third parties. - **Controlled and secure experience** within your tenant's domain. Not required to redirect users to external sites. - **Consistent branding experience** with Universal Login. Using Forms for Actions enables you to build use cases like progressive profiling, custom policies acceptance, custom signup or login steps... Personalization has never been easier. You can read more about this new capability in our [Product Documentation](https://auth0.com/docs/customize/forms) and our [Blog Post.](https://auth0.com/blog/) https://auth0.com/changelog#mM8XQXK8NmraaCfV8T5UY Fri, 03 May 2024 00:00:00 GMT Auth0 Teams provides a platform to simplify viewing and management of environments, tenants and tenant members from a single pane of glass (Teams Dashboard). We've updated the Teams Dashboard to include a new report called Team Activity under the *Reports* section of the Teams Dashboard. Team Activity allows Team Owners to view and audit event logs generated by team members.  Team owners now have visibility to events such as team member invitations, team member role changes, changes to the team security policies, and changes to the team settings. Team Activity Early Access is now available on the Enterprise plan. Please refer to [Auth0 Teams Documentation](https://auth0.com/docs/get-started/auth0-teams/team-activity "Team Activity Docs") for more information. Auth0 Teams is getting more exciting new features, and we can't wait to share them with you. https://auth0.com/changelog#6By4AAKz0wNzBYXMbksCin Thu, 02 May 2024 00:00:00 GMT Starting May 2nd, 2024, Team Owners with accounts created using username and password would need to verify their email address before they are allowed to invite other members to the team from the Teams Dashboard. __Note__: Email verification only applies to team owner accounts created using username and password and does not apply to team owner accounts created using enterprise and social connections.  https://auth0.com/changelog#6INeHN6y2Im1P6KdOmurHC Tue, 30 Apr 2024 00:00:00 GMT Auth0 is happy to announce that __JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens - [RFC9068](https://datatracker.ietf.org/doc/rfc9068/) is now available in Early Access for all customers__. You will be able to opt-in to use the new profile for your Access Tokens on a per-API basis. With this release, we are adopting an Identity industry standard to maximize compatibility and interoperability with other solutions as well as reusability of community tools. Read our public documentation to learn about the [details of the new profile](https://auth0.com/docs/secure/tokens/access-tokens/access-token-profiles) and [how to activate it for the APIs in your tenant(s)](https://auth0.com/docs/get-started/apis/configure-access-token-profile).  https://auth0.com/changelog#1ISFyhcuq7QF3z7yu7p43b Wed, 24 Apr 2024 00:00:00 GMT Developers need to manage how applications are able to interact with an Okta FGA store. Some applications need full permissions, others write permissions, read permissions, or only permissions to update the authorization model. You can now create multiple credentials for an Okta FGA store with different sets of permissions. So whether your client-facing application only needs read access while your Continuous Integration deployment needs the ability to write an authorization model, you are in control of security from the Okta FGA dashboard. You can learn more by following the [How To Get Your API Keys](https://docs.fga.dev/integration/getting-your-api-keys) tutorial to create a new credential. https://auth0.com/changelog#482KUXsuOA9LkKuLel7DgN Tue, 16 Apr 2024 00:00:00 GMT Okta CIC has added a privacy manifest file to the iOS Guardian app & SDK – the privacy manifest file describes the data that apps & third-party SDKs collect and supplies the reasons required APIs that the app & SDK use. The privacy manifest file is in support of the [requirements](https://developer.apple.com/support/third-party-SDK-requirements/) put forth by Apple to ensure transparency and allow users to make informed decisions about their privacy. The manifests include details on the types of data collected, how the data is used, and whether it is shared with third parties. Read more information about [Apple’s privacy manifests](https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_data_use_in_privacy_manifests) and the [required reason API](https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api). https://auth0.com/changelog#3pNrp3jXN97SOmN8WFVgYl Tue, 16 Apr 2024 00:00:00 GMT Okta CIC is proud to announce the next round of improvements to Universal Login as part of our efforts to reach WCAG 2.2 AA guideline conformance. This release includes the following improvements. * **Client-side validation of email addresses.** These validations follow the same formatting rules as the server-side validation * **Accessible Labels.** We cleaned up the duplicate labels in the HTML and properly associated them with their respective input fields. * **Password Complexity Requirements.** These will now be properly announced by screen readers. * **Announce Inline Error Message.** We added the proper aria attributes to the Inline error messages so that they can be understood and properly announced by screen readers. * **Consistent Page Titles.** Every screen in our authorization flows now has a useful and distinct page title. * **Visually Indicate Required Fields.** Required fields now include a visual indicator within the label. To view all the changes and learn more see the [Support Center article](https://support.auth0.com/notifications/66106b9351d014c651b1fa45) https://auth0.com/changelog#2aMbsLlrjKyFrD4JYSY0d4 Mon, 15 Apr 2024 00:00:00 GMT Given authorization is application specific, the rules governing application authorization should be managed by the application team. Okta FGA now enables you to compose an authorization model from multiple modules. Each module lives in a different file, owned by each application team. For example, if a company has 3 teams that own different components: - The core authorization entities that are shared across the organization - A wiki component - An issue tracking component Each team will be able to manage their own module in independent files whose ownership can be defined in your source control system (e.g. Github CODEOWNERS). The modules will be combined in a single model when written to Okta FGA. Learn more about Modular Models in the [Okta FGA documentation](https://docs.fga.dev/modeling/modular-models "Modular Models documentation"). https://auth0.com/changelog#jZ2BzCnuCBpAjCzIm4sOl Mon, 15 Apr 2024 00:00:00 GMT [Okta FGA](https://fga.dev) is now very easy to integrate with Java Spring Security, using the [OpenFGA Spring Boot Starter](https://github.com/openfga/spring-boot-starter). In a nutshell, you can now use the @PreAuthorize Spring Security annotation with an `fga` bean that will require an authorization check to pass before executing a method: // Method body will only execute if the FGA check returns true. 403 otherwise. @PreAuthorize("@fga.check('document', #docId, 'reader', 'user', authentication?.name)") public Document getDocument(@PathVariable String docId) { return repository.findById(id); } You can learn more in the [OpenFGA Spring Boot Starter](https://github.com/openfga/spring-boot-starter) repository. https://auth0.com/changelog#2ahSBp677KMor4j0VBwMyo Mon, 08 Apr 2024 00:00:00 GMT Okta CIC is proud to announce an opt-in, Early Access release of several accessibility improvements to Universal Login as part of our efforts to reach WCAG 2.2 AA guideline conformance. This release allows customer to opt-in to these and future improvements that we will be rolling out in the coming weeks. Once enabled, improvements will be automatically applied to Universal Login as they are released. To learn more see the [Support Center article](https://support.auth0.com/notifications/66106b9351d014c651b1fa45)  https://auth0.com/changelog#3UZn3VXSR4Ow1nv7zXoExm Thu, 21 Mar 2024 00:00:00 GMT Auth0 is excited to share an updated list of IP addresses for allow listing on Public Cloud regions, as follows. The updates include, but are not limited to, GeoHA enhancements to Australia and Japan Public Cloud regions. Request your attention if IP allow list is being used or planned to be used for your deployment on Auth0 Public Cloud. Please refer to [Auth0 IP Addresses for Allow Lists](https://auth0.com/docs/secure/security-guidance/data-security/allowlist "Auth0 IP Addresses for Allow Lists") for further information on when IP allow list could be required. __United States__ 174.129.105.183 , 18.116.79.126 , 18.117.64.128 , 18.191.46.63 , 18.218.26.94 , 18.232.225.224 , 18.233.90.226 , 3.131.238.180 , 3.131.55.63 , 3.132.201.78 , 3.133.18.220 , 3.134.176.17 , 3.19.44.88 , 3.20.244.231 , 3.21.254.195 , 3.211.189.167 , 34.211.191.214 , 34.233.19.82 , 34.233.190.223 , 35.160.3.103 , 35.162.47.8 , 35.166.202.113 , 35.167.74.121 , 35.171.156.124 , 35.82.131.220 , 44.205.93.104 , 44.218.235.21 , 44.219.52.110 , 52.12.243.90 , 52.2.61.131 , 52.204.128.250 , 52.206.34.127 , 52.43.255.209 , 52.88.192.232 , 52.89.116.72 , 54.145.227.59 , 54.157.101.160 , 54.200.12.78 , 54.209.32.202 , 54.245.16.146 , 54.68.157.8 , 54.69.107.228 __Europe__ 18.197.9.11 , 18.198.229.148 , 3.125.185.137 , 3.65.249.224 , 3.67.233.131 , 3.68.125.137 , 3.72.27.152 , 3.74.90.247 , 34.246.118.27 , 35.157.198.116 , 35.157.221.52 , 52.17.111.199 , 52.19.3.147 , 52.208.95.174 , 52.210.121.45 , 52.210.122.50 , 52.28.184.187 , 52.30.153.34 , 52.57.230.214 , 54.228.204.106 , 54.228.86.224 , 54.73.137.216 , 54.75.208.179 , 54.76.184.103 __Australia__ 13.210.52.131 , 13.238.180.132 , 13.55.232.24 , 16.50.37.252 , 16.51.137.244 , 16.51.49.47 , 54.153.131.0 , 54.252.2.143 , 54.79.31.78 __Japan__ 13.208.85.227 , 15.152.185.222 , 15.152.2.46 , 15.152.28.221 , 15.152.56.146 , 15.152.95.63 , 176.34.22.106 , 35.74.30.168 , 43.206.201.6 , 46.51.243.250 , 54.150.87.80 , 54.248.192.141 __UK__ 18.135.40.36 , 3.10.89.10 , 3.8.59.62 https://auth0.com/changelog#3x31mnVb0t6IoMKDgoYXB9 Tue, 19 Mar 2024 00:00:00 GMT Using the post-login action, you can now easily customize your MFA flows to prompt users to enroll in specific factors. After a user enrolls in a factor, they can use that factor as a secondary method of authentication in future logins. Customer Identity Cloud (CIC) now includes two new commands in the post-login API object: enrollWith and enrollWithAny.  These commands, paired with our recent [Customize MFA Factor Selection](https://auth0.com/docs/secure/multi-factor-authentication/customize-mfa-selection-nul) feature release, allow you to specify precisely how to enroll and challenge the user with MFA factors based on contextual signals about the user, the organization, or the application they are logging into. These changes provide greater flexibility with MFA to: - design an authentication flow that reduces friction - cater to your end-users’ preferences  - align authentication with your organization's security policies You can read more about this new capability in our [Product Documentation](https://auth0.com/docs/secure/multi-factor-authentication/customize-mfa-enrollments). https://auth0.com/changelog#4fpSey5rWQ4yUCKyONcTee Wed, 13 Mar 2024 00:00:00 GMT End users can now enroll in One-time Password (OTP) Multi-factor Authentication (MFA) using the Guardian App or a custom app using the Guardian SDK on the same mobile device as the application. This allows users to complete OTP MFA enrollment flows using Guardian without having to scan a QR code.  Read our documentation to [learn more](https://auth0.com/docs/secure/multi-factor-authentication/auth0-guardian). https://auth0.com/changelog#4B35QGExNzv6jtawLcj9tg Tue, 05 Mar 2024 00:00:00 GMT Okta Fine Grained Authorization is generally available in the US, Europe and Australia regions. It enables developers to implement authorization in a way that’s centralized, flexible, fast, scalable, and easy to use. It's based on [OpenFGA](https://openfga.dev/), an open source project owned by the [Cloud Native Computing Foundation](https://cncf.io/) for which Okta is a core maintainer. Try it for free at https://dashboard.fga.dev/, or learn more about it on the [product documentation](https://docs.fga.dev/fga). https://auth0.com/changelog#6ibgLorpYKhoeqcyfdfnqF Wed, 28 Feb 2024 00:00:00 GMT As part of our commitment to protect users, we are giving developers remote control of their users' authentication status through additional management API endpoints. These endpoints enable developers to list, explore, and terminate all or individual __sessions and refresh tokens__. Access to the [sessions via API](https://auth0.com/docs/manage-users/sessions/manage-user-sessions-with-auth0-management-api) endpoints is generally available to all customers with an Enterprise plan. Additionally, eligible customers have the opportunity to participate in the early access program for the [Refresh-Token API endpoints](https://auth0.com/docs/secure/tokens/manage-refresh-tokens-with-auth0-management-api). It is important to note that the newly introduced session revocation methods will soon incorporate the corresponding session-deleted along with [previous initiators](https://auth0.com/docs/authenticate/login/logout/back-channel-logout/oidc-back-channel-logout-initiators), progressively becoming available in the coming days. https://auth0.com/changelog#2BINmZe7n0jd9BkxuSYTFD Mon, 26 Feb 2024 00:00:00 GMT Okta Customer Identity Cloud (CIC) recently published CIC log schemas (V1). This repository contains schemas for Log events documented [here](https://auth0.com/docs/deploy-monitor/logs). For more information please reference the [Github repository](https://github.com/auth0/auth0-log-schemas) https://auth0.com/changelog#3xmuk9NXS049LqPzAXx9Is Mon, 26 Feb 2024 00:00:00 GMT Businesses using Customer Identity Cloud’s Universal Login can leverage a new pro-code option to customize signup and login flows to address their unique needs. This new capability is available to customers on Professional plans or higher and allows them to address unique data capture, security, and compliance (terms of service) requirements. Interested in learning more? See our [online documentation](https://auth0.com/docs/customize/universal-login-pages/customize-signup-and-login-prompts) for detailed instructions and examples. https://auth0.com/changelog#xqTSjK07nnYsfdi2UJkmo Thu, 22 Feb 2024 00:00:00 GMT Okta Customer Identity Cloud (CIC) now supports [Duo Web SDK V4 for MFA](https://auth0.com/docs/secure/multi-factor-authentication/configure-cisco-duo-for-mfa). If you are currently using Duo Web SDK V2, additional information about this change was or will be sent to your tenant administrators, including detailed instructions and links to related documentation. See also: [Duo Web SDK V4](https://duo.com/docs/duoweb) and [Duo Universal Prompt Update Guide](https://duo.com/docs/universal-prompt-update-guide). https://auth0.com/changelog#6y0r0SX4JEmtj8S4FeE5s9 Wed, 14 Feb 2024 00:00:00 GMT Starting February 14th, 2024, Tenant admins with accounts created using username and password would need to verify their email address before they are allowed to invite other members to the tenant from the Auth0 Dashboard. __Note__: Email verification only applies to tenant admin accounts created using username and password and does not apply to tenant admin accounts created using enterprise and social connections.  https://auth0.com/changelog#1bz694J9WGJJdmYOjGFL6v Wed, 14 Feb 2024 00:00:00 GMT Auth0 Teams consolidates managing tenants, tenant members and your subscription in one central place. We are happy to announce Teams Environment and Tenant Management support for our Private Cloud customers.   The release of Teams General Availability marks another significant milestone, completing the support of all plan types on the Auth0 Teams architecture. Our enterprise customers can now view and manage environments and tenants that belong to both Private and Public Clouds. Please refer to Auth0 Teams [Documentation](https://auth0.com/docs/get-started/auth0-teams "Auth0 Teams") for more information. Contact your Technical Account Manager or Auth0 Support to provision Auth0 Teams if you are an Enterprise customer and begin the journey of centralized visibility and control with us. More exciting new features are coming to Auth0 Teams, and we can't wait to share them with you. Please continue to look for Auth0 Teams product announcements in the future. https://auth0.com/changelog#59mvGHHqPhE0PmfF2Ipz1A Fri, 09 Feb 2024 00:00:00 GMT __Initiators__ hook up to session termination events to request applications to log users out whenever that session is invalidated at Auth0. An initiator can be any cause of a session ending. This allows you to move from user-interactive single-logout to server-initiated distributed logout effortlessly on top of the __OIDC Back-Channel Logout__ specification. This update includes __Account Deleted__ and __Email Changed__ in the existing list of logout initiators: __Password Changed__, __Session Expired__, and various __Logout__. Your applications can subscribe to individual or all initiators. For example, you can use Account Deleted to, in combination with OIDC Back-Channel Logout, remotely log the user out upon removing the account.  Want to know more? Check out our [public documentation](https://auth0.com/docs/authenticate/login/logout/back-channel-logout/oidc-back-channel-logout-initiators) and follow our updates as we incorporate more functionalities. https://auth0.com/changelog#7ygUUKUXvkVWzgg1SwLJmo Fri, 09 Feb 2024 00:00:00 GMT At Okta, we take security seriously, so we made further updates as part of our continued efforts to help keep your Auth0 and Teams dashboard user accounts secure. Starting today, the session cookies of both Teams and Auth0 Dashboard dashboard users will now be bound to the originating Autonomous System Network (ASN) as part of the session creation. What does this mean? Suppose, in an unforeseen situation, the session cookies are compromised. In that case, existing sessions will be invalidated, and the user hijacking the session will be forced to log in again if they attempt to access from a different workstation outside of the ASN bound to the session cookie. https://auth0.com/changelog#1fVhnQ1p8DBIGpeOYBtsRN Wed, 07 Feb 2024 00:00:00 GMT This invisible, frictionless captcha alternative uses a series of browser and device challenges to make it tougher on bots but frictionless for users. Auth Challenge raises costs to attackers while keeping the user interaction as simple as clicking a checkbox! Check out the details on configuring Auth Challenge in our online documentation [here](https://auth0.com/docs/secure/attack-protection/bot-detection#configure-bot-detection). https://auth0.com/changelog#6nM8ru8yXf1koT2j5Hgpsl Fri, 02 Feb 2024 00:00:00 GMT As part of our continued efforts to help keep your dashboard user accounts secure, we now require dashboard users that log in with either username and password or 3rd party social connection apps to enrol into MFA. Note: This change applies to your Auth0 account login and does not impact applications or websites you have configured with Auth0. Read our [documentation](https://auth0.com/docs/get-started/manage-dashboard-access/add-change-remove-mfa "MFA for Dashboard Admins Documentation"), and [community post](https://community.auth0.com/t/action-required-multifactor-authentication-mfa-for-auth0-by-okta-administrators/125827 "MFA for Auth0 by Okta Community Post") for more information. Ready to start using MFA as part of a more secure login flow? You can configure it in your [user profile](https://manage.auth0.com/#/profile "Auth0 User Profile"). Read more about how to [configure Multi-Factor Authentication](https://auth0.com/docs/get-started/manage-dashboard-access/add-change-remove-mfa/add-mfa "Configure MFA for Dashboard Users") for Dashboard Users. Need to request an MFA reset? Review this [post](https://community.auth0.com/t/account-locked-mfa-resets-requests/22920 "Locked MFA resets"). https://auth0.com/changelog#2H5Pg6TpSi5OhIiSBQs8zg Thu, 01 Feb 2024 00:00:00 GMT Starting today, our Private Cloud customers can now request Session Timeout and Max Session Age value changes for their Auth0 Dashboard users (admins and non-admins). Please reach out to your Technical Account Manager for more information. https://auth0.com/changelog#3wNF2uOPTIJLGWvwoQGGsw Thu, 01 Feb 2024 00:00:00 GMT Today we released support to choose whether you show an Enterprise Connection during Organization based logins. Similar to how Enterprise Connections work at the Application level, you can now navigate to Organizations -> “Your Organization” -> Connections -> “Your Connection” and then select whether you want to display that connection as a button on the login screen. Paired with Home Realm Discovery, this gives you powerful options to utilize hidden enterprise connections to support multiple customers using a single organization login, or hiding a support staff login from a customer’s organization. To learn more, check out the [documentation](https://auth0.com/docs/manage-users/organizations/configure-organizations/enable-connections). https://auth0.com/changelog#1A1f1juj4J0EX0zYNvMUqj Wed, 31 Jan 2024 00:00:00 GMT We’re excited to announce __passkeys are now Generally Available__ in the Okta Customer Identity Cloud to help businesses drive greater sign-up and sign-in conversion without compromising end-user security. This release builds off our existing [Early Access implementation](https://www.okta.com/press-room/press-releases/okta-launches-passkey-support-to-help-enterprises-unlock-a-passwordless/) and makes it easier for larger enterprises with a [custom database](https://auth0.com/docs/manage-users/user-migration#automatic-migrations) to adopt passkeys using lazy migration and reduce their customer's reliance on passwords. We’ve also improved the developer experience by expanding our [SDK Libraries](https://auth0.com/docs/libraries) support. With passkeys, Auth0 customers can transform their sign-in process, enjoying faster, easier, and more secure access to websites and applications. Passkeys are FIDO credentials that are discoverable by browsers or by security keys for passwordless authentication. Based on FIDO Alliance and World Wide Web Consortium (W3C) standards, passkeys replace the need for passwords by using cryptographic key pairs, ensuring robust protection against phishing and enhancing the overall user experience. This feature will be gradually rolled out to all customers across all plans, starting Jan 31, 2024. Initially, it'll be available in the public cloud, followed by a rollout in private cloud environments a few weeks later as per the release pipeline. For your existing users with passwords, we offer a seamless progressive enrollment process to add passkeys for subsequent logins, ensuring a smooth transition to enhanced security. Before you get started, please note that there are certain prerequisites to enable passkeys. Make sure to review these requirements in our [documentation](https://auth0.com/docs/authenticate/database-connections/passkeys/configure-passkey-policy) to ensure a seamless setup process. Ready to try out passkeys in your application? Check out this [implementation post](https://www.okta.com/blog/2023/10/adding-passkeys-to-your-apps-with-okta-cic-powered-by-auth0/) and our [online documentation](https://auth0.com/docs/authenticate/database-connections/passkeys) for step-by-step guidance on configuration. https://auth0.com/changelog#3CBET2mBWyqK0RS6poEJiC Wed, 31 Jan 2024 00:00:00 GMT Enterprise customers with Public Cloud-based tenants may now receive request rates in excess of 100 RPS. Public Performance is an add-on to a Customer’s existing Public Cloud deployment allowing for request rates up to 200 RPS for 48 hours per month. The add-on is intended to provide customers the ability to grow their traffic on Auth0 in more affordable Public Cloud environments before upgrading to Private Cloud. For more information, please see [Rate Limit Policy docs ](https://auth0.com/docs/troubleshoot/customer-support/operational-policies/rate-limit-policy#public-performance) https://auth0.com/changelog#2GnLMTVYDtbQqbPirHvWG2 Wed, 31 Jan 2024 00:00:00 GMT We are happy to announce Limited Early Access availability of advanced identity security solutions for customers operating in highly regulated industries. These incorporate a set of Financial Grade Identity™ features, defined by the OpenID FAPI Working Group and known as __FAPI v1 Advanced__. This enables customers to elevate the security of their identity solutions, protect user data and privacy, and comply with regulations for __Strong Customer Authentication__.  You can read more about this in our [public documentation](https://auth0.com/docs/secure/highly-regulated-identity). https://auth0.com/changelog#5GFvIFT7X0vwqoIQqEQC3R Wed, 31 Jan 2024 00:00:00 GMT We’re excited to announce that Inbound SCIM for Okta Customer Identity Cloud is now in Early Access. Customers can now go live with their SCIM integrations if they choose. In addition, the EA supports SCIM for Enterprise identity providers integrated using all three of these connection types: SAML; Okta Workforce (OpenID Connect); OpenID Connect https://auth0.com/changelog#6j9n8myoTZfz5nvD5hnmFE Tue, 16 Jan 2024 00:00:00 GMT We have introduced a new claim mapping for the Google hd claim to Auth0 idp_tenant_domain. This new claim, made available with Auth0 PostLogin Actions can be leveraged to validate the Google organization an end-user is authenticating with. Check out [Auth0 PostLogin Action Object](https://auth0.com/docs/customize/actions/flows-and-triggers/login-flow/event-object) for more information. https://auth0.com/changelog#5YcDgKlMJSnRP4QoeArrOm Fri, 05 Jan 2024 00:00:00 GMT We are excited to announce our first round of accessibility fixes and updates to New Universal Login required for WCAG 2.2 AA compliance! ###### This release focused on the MFA Country Code Selector Users that rely on screen readers will now have a much easier time navigating the country code selector. We also added a shiny new search/filter input to make it possible for all users to efficiently find and select their country code. These changes are already in production for most environments!  https://auth0.com/changelog#3EDl94BrmvdZrGQGVEE1J8 Mon, 18 Dec 2023 00:00:00 GMT We’ve reduced session timeout due to inactivity and also implemented a session age for administrator sessions on Teams dashboard to 12 hours. For administrators working in Teams dashboard day to day, more frequent challenges to log after 12+ hours. We’ve also reduced the session age for administrator sessions on Teams dashboard. After 12+ hours from last successful login inactivity, the Teams session will time out, and administrators will have to log back in. https://auth0.com/changelog#3T4PThJVkrL2JiH4aGmrr0 Mon, 18 Dec 2023 00:00:00 GMT We’ve reduced the session timeout for the session age for administrator sessions on Auth0 Dashboard down to 12 hours. For administrators working within Auth0 Dashboard day to day, you will be prompted to re-authenticate after 12 hours from your last login activity. This change does not affect any sessions configured for your end users interacting with your applications integrated with Auth0 identity services. The changes only apply to administrator sessions on Auth0 Dashboard. https://auth0.com/changelog#1rsiqUDNRVzQG9bLvGyaJU Fri, 15 Dec 2023 00:00:00 GMT Have you ever had challenges in writing an Action from scratch? Now, Templates for Actions help you jumpstart with pro-code Actions within seconds! Head over to Actions and choose "build from Templates" - We have offered a growing list of templates for Actions across different triggers and use cases. Start use Actions to __customize MFA setting__ and __verify access control__ by choosing relevant templates.  You can learn more about Templates for Actions from our [doc site](https://auth0.com/docs/customize/actions/actions-templates). https://auth0.com/changelog#2zJ27iP9uIvMwuKlwm14CJ Thu, 14 Dec 2023 00:00:00 GMT We are happy to announce a new Actions trigger for password reset flows is now generally available. This new extensibility point allows developers to block specific password reset requests, customize the password reset flow to require MFA, leverage a redirect to complete additional validation by a third party, and leverage an Auth0 Marketplace integration in the password reset flow. [Read more](https://auth0.com/docs/customize/actions/flows-and-triggers/password-reset) https://auth0.com/changelog#2WewEcX4t4UNAeRKP615c8 Thu, 30 Nov 2023 00:00:00 GMT Do you sit and stir at the screen, scrolling through the tenant page filled with many tenants on the Teams dashboard? As your luck may have it, only to find the tenant on the last page? Teams Dashboard allows you to search quickly for a tenant that belongs to the team.  https://auth0.com/changelog#5uF3zJptX3q0dbfKHaMT7q Thu, 23 Nov 2023 00:00:00 GMT Now, when attaching .HAR files within a ticket via Support.Auth0.com, the file is sanitized. To use: 1. Navigate to the Auth0 Support Center 2. Select Open Ticket 3. To trigger the file sanitization, simply attach/upload the .HAR file to the existing ticket or new ticket. 4. The file is sanitized at the client side before the file is uploaded to the portal. 5. The original trace is not uploaded prior to sanitization. 6. Filename after sanitization and upload: <file_name>_sanitized.har. You can download the sanitized file if you want to inspect it. Do not attempt to upload zipped or compressed HAR files because those files will not trigger the sanitization. Only .har files are processed. *While Okta will attempt to identify sensitive data for you, you acknowledge that it is your responsibility, and not Okta’s, to identify sensitive data in HAR files that you want to be redacted.* For more information on generating HAR files, see [this documentation](https://auth0.com/docs/troubleshoot/troubleshooting-tools/generate-and-analyze-har-files). https://auth0.com/changelog#5MMBWZVUyajeSt7gIr47Fq Tue, 21 Nov 2023 00:00:00 GMT Customers can now pass the `email_locale` parameter when invoking an MFA enrollment via API to generate MFA enrollment tickets and render Universal Login enrollment prompts in the specified language. This is a fix to a known issue where Universal Login enrollment prompts were defaulting back to English instead of rendering in the specified language. [Read more](https://support.auth0.com/notifications/655d1d67bf64915c7aff7514). https://auth0.com/changelog#kbkar0TirGjLItJx4tyzH Fri, 17 Nov 2023 00:00:00 GMT On the heels of announcing the new Private Cloud regions in Australia and Japan, we're thrilled to launch Private Cloud deployments in a brand new country - Indonesia - leveraging Jakarta AWS region. This region expands Auth0's geographical availability and addresses Indonesian customers' data residency needs. We stand committed to meeting our customers where they are, both figuratively and literally. https://auth0.com/changelog#25VjKrwPSMiazLGuknlQWA Thu, 16 Nov 2023 00:00:00 GMT [Okta Access Gateway (OAG)](https://help.okta.com/oag/en-us/content/topics/access-gateway/ag-main.htm) is a solution designed to extend modern identity to legacy on-prem applications to protect your hybrid cloud. Now, you can easily set up Okta Access Gateway to use Auth0 as the identity provider to authenticate users and have Single Sign-On (SSO) when accessing these on-prem applications. To learn more, read [our documentation](https://auth0.com/docs/authenticate/single-sign-on/okta-access-gateway).  https://auth0.com/changelog#1rxzWUkPuhorsM02h643yD Wed, 15 Nov 2023 00:00:00 GMT We are happy to share that we are expanding the use cases of OIDC Back-Channel Logout with new Logout Initiators (Early Access). __“Don't call us, we'll call you”__ What is this feature? Initiators hook up to session termination events to request applications to log users out whenever that session is invalidated at Auth0. __An initiator can be any cause of a session ending__, like a Password Changed or a Session Expired. This allows you to move from user-interactive single-logout to server-initiated distributed logout effortlessly on top of the OIDC Back-Channel Logout specification. __Want to know more?__ Check out our [public documentation](https://auth0.com/docs/authenticate/login/logout/back-channel-logout/oidc-back-channel-logout-initiators) and follow our updates as we incorporate more functionalities. This functionally requires access to the [OIDC Back-Channel Logout](https://auth0.com/docs/authenticate/login/logout/back-channel-logout) functionality already generally available for enterprise plans. https://auth0.com/changelog#fXjVRjkGGmpkvFwMXlX21 Thu, 09 Nov 2023 00:00:00 GMT We are delighted to announce support for Private Cloud deployments in two new AWS regions - __Melbourne, Australia__ and __Osaka, Japan__ as part of continual geographical availability and reliability enhancements. Either of these regions could be used as: - Primary region for new Private Cloud deployments - Failover region for Private Cloud GeoHA deployments, which have primary region in the existing Sydney and Tokyo AWS regions respectively With the introduction of these Private Cloud regions, customers with be able to satisfy GeoHA as well as Data residency requirements in Australia and Japan. https://auth0.com/changelog#6VpF9qv9jeJmFUqONfxyTx Wed, 08 Nov 2023 00:00:00 GMT We have recently enhanced our Adaptive MFA risk assessment object to expose three additional phone attributes: line type, region, and provider! In combination with Actions you can customize your Adaptive MFA flow to leverage and trigger challenges based on these new attributes in the risk assessment object. To read more about the new phone attributes in the Adaptive MFA, you can check out our online documentation [here](https://auth0.com/docs/secure/multi-factor-authentication/adaptive-mfa/customize-adaptive-mfa#phonenumber-assessment). To learn more on how to use Adaptive MFA with Actions, check out the following documentation [here](https://auth0.com/docs/secure/multi-factor-authentication/adaptive-mfa/customize-adaptive-mfa#action-templates) https://auth0.com/changelog#T7JxXNT62qaPm9HNkDGjS Wed, 08 Nov 2023 00:00:00 GMT You asked, we listened and delivered! Introducing the much anticipated Teams feature, Tenant Member Management. Designed to help you centrally manage your onboarding and off-boarding workflow of tenant dashboard members.  We have received much feedback from our users, and this feature will significantly improve your experience with our product. Here are some key benefits of Teams Tenant Member Management: - Team Owners centrally grant dashboard users access to one or more tenants. - Assign Team Members more than one App at a time for Editor - Specific Apps role. - A new "Contributor" role for Team Members, to view and access specific tenants they are members from Teams Dashboard. - Just In Time, Team members' accounts are auto-created in Teams based on successful login using your enterprise IdP. Want to experience improved account management with friction-reducing Teams Tenant Member Management? Our [documentation](https://auth0.com/docs/get-started/tenant-settings/auth0-teams/tenant-member-management "Tenant Member Management") will guide you on how to turn on the feature. https://auth0.com/changelog#1EDwbToxDlER3aEIJUkT5c Tue, 07 Nov 2023 00:00:00 GMT Using the post login action, you can now easily define which secondary factor, or sequence of factors, your end-users are challenged with for MFA in the login flow. Customer Identity Cloud (CIC) now includes two new commands in the post login API object: challengeWith and challengeWithAny. With these commands, you can specify how to challenge the user with MFA factors based on contextual signals about the user, the organization, or the application they are logging into. These changes provide greater flexibility with MFA to: - design an authentication flow that reduces friction - cater to your end-users’ preferences - align authentication with your organization's security policies You can read more about this new capability in our [Product Documentation](https://auth0.com/docs/secure/multi-factor-authentication/customize-mfa-selection-nul). https://auth0.com/changelog#6WA798mO9M49rPWAWZthBF Fri, 03 Nov 2023 00:00:00 GMT We have updated the experience for the Production Readiness Check tool in the Auth0 Management Dashboard. The Production Readiness Check tool now provides: - The ability to 'dismiss' a check while keeping it available to restore at the bottom of the page - A progress gauge as a clear visual indicator of tenant production readiness - __Failed__ and __Passed__ expandable objects within a single page (replaced the former tabbed layout) - __Critical__ labels to denote that a check has security or end-user implications. *Note: The Production Readiness Check tool now _only_ lives in the Auth0 Management Dashboard. Previously, it also lived in [Auth0 Support Center](https://support.auth0.com/) but has now been centralized in the Dashboard. To learn more about the Production Readiness Check tool, see [this documentation](https://auth0.com/docs/deploy-monitor/pre-deployment-checks/how-to-run-production-checks#production-check-results) https://auth0.com/changelog#58gm8En0BkixJkv6oq15lh Thu, 02 Nov 2023 00:00:00 GMT Is Johnny part of the team? Teams Dashboard allows you quickly search for a team member either by name or email!  https://auth0.com/changelog#253rOZ9XTUHwewnejE0Ecx Tue, 31 Oct 2023 00:00:00 GMT We are excited to announce that the Guardian App now supports all 40+ languages to match the entire Universal Login localization language set. Users can select the language in the app; the default is based on the user's registered device setting. See our [documentation](https://auth0.com/docs/secure/multi-factor-authentication/auth0-guardian#localization-options) for the full list of supported languages.  The Guardian app is an authenticator that delivers push notifications to a user’s pre-registered device (mobile phone or tablet). You can learn more about the Guardian App in our [product documentation](https://auth0.com/docs/secure/multi-factor-authentication/auth0-guardian). Additional library updates and minor bug fixes are included with this release. https://auth0.com/changelog#T0iK5XLYExriK0qnsW4bY Mon, 30 Oct 2023 00:00:00 GMT Starting today, we are rolling out Account Linking in Actions. Developers can start linking user accounts from various identity providers. This allows a user to authenticate from any of their accounts and still be recognized by your app and associated with the same user profile. Account Linking in Actions will be rolled out in stages to all customers in all environments. The Public Cloud on the Converged Platform will receive this feature in next coming weeks based on its release cycle. You can leverage setPrimaryUser now in Actions and check our documentation to [learn more](https://auth0.com/docs/customize/actions/flows-and-triggers/login-flow/api-object). https://auth0.com/changelog#7hTumxd8msK9je2bP35CyW Mon, 23 Oct 2023 00:00:00 GMT A new version (V3) of the LinkedIn social connection is available in Customer Identity Cloud. Existing customers/connections are unaffected by this change. Customers creating new LinkedIn applications that require Sign in with LinkedIn using OpenID Connect will need to use this new connection strategy. [Read more](https://support.auth0.com/notifications/6532fe61cd1517b4fe7ed1d2). https://auth0.com/changelog#1HJv22auCjVnSKU6yMiEZZ Mon, 23 Oct 2023 00:00:00 GMT Did someone order up one Dark Mode Browser extra Hot! Feel free to dim the lights; Teams Dashboard now supports dark mode. https://auth0.com/changelog#5Yd5O2D6lVI78RMa2fr2Pn Fri, 20 Oct 2023 00:00:00 GMT __You can now seamlessly integrate with Arkose Labs through our Bot Detection product!__ Arkose Labs is a bot management provider that helps deter and defeat bots by leveraging AI and unique context-based 3D captchas. With this new integration, you can combine the power of Auth0 attack protection and seamlessly integrate Arkose Labs detection and response into your authentication flows! To learn more about our Bot Detection Integrations, please refer to our [online documentation](https://auth0.com/docs/secure/attack-protection/bot-detection#configure-bot-detection). https://auth0.com/changelog#3s8qItLqmSmMzoY7g6i23s Mon, 16 Oct 2023 00:00:00 GMT Starting Oct 16, We are removing Rules and Hooks from new customers onboarded on/after Oct 16, as our first step of the [Rules and Hooks Deprecation Plan](https://auth0.com/blog/preparing-for-rules-and-hooks-end-of-life/). This has no impact on existing customers and tenants, but we encourage all customers to migrate their Rules and Actions before Nov 18, 2024, the end of life for Rules and Hooks. We have provided a [Migration Guide](https://auth0.com/extensibility/movetoactions) to help our customers get started. You can contact your Technical Account Manager or Auth0 Support for retroactive access for very limited use cases. https://auth0.com/changelog#2wsZtgXkbEjKc72Np3YzHv Thu, 05 Oct 2023 00:00:00 GMT Okta Workflows is a no-code automation platform for Identity. To help developers extend and customize Customer Identity with custom logic, Auth0 (CIC) now has an Actions Integration with Workflows and Workflows now has a connector with Auth0.  You can check out the details and [read more here](https://www.okta.com/blog/2023/10/workflows-for-customer-identity-cloud/). https://auth0.com/changelog#3z3NKt4HFEvDO233Yaf9y6 Tue, 03 Oct 2023 00:00:00 GMT [OpenID Connect Back-Channel Logout](https://openid.net/specs/openid-connect-backchannel-1_0.html) allows you to implement end-users single-logout through direct communication between the identity provider (IdP) and an application backend. When configured, any Single Sign-On (SSO) application can leverage the session identifier (sid) included in ID Tokens to react to the session termination events received in OIDC Back-Channel Logout Tokens. Back-channel communication is a reliable mechanism to coordinate application logout and avoid limitations imposed by the need for an active browser or third-party content browser restrictions. [OIDC Back-Channel Logout in our public documentation](https://auth0.com/docs/authenticate/login/logout/back-channel-logout) This capability is a practical solution for applications with a backend that can keep and manage the state of a user session. Learn more about . The feature will be gradually rolled out to all customers on one of our enterprise plans. https://auth0.com/changelog#5dxJrHmWj5sMrhDLMcdFMR Tue, 03 Oct 2023 00:00:00 GMT We've updated the Private Instances page in the [Auth0 Support Center](https://support.auth0.com/) to display Failover Region (where applicable) and Deployment Window schedule information. https://auth0.com/changelog#3t7fmeBfsAUatYW3sdx4hc Mon, 02 Oct 2023 00:00:00 GMT The [Auth0 Community Response Series YouTube Playlist](https://www.youtube.com/playlist?list=PLshTZo9V1-aHJ7qT5mvgQ1gdLEk1pBNeK) is now integrated as a source of knowledge when searching for solutions on https://support.auth0.com/. Content from this YouTube source may also appear as a 'Recommended Article' if it matches with the ticket Request Summary during the ticket creation flow in order to surface helpful knowledge while troubleshooting. https://auth0.com/changelog#2gkLdsDVhVx6den46RSBX6 Fri, 29 Sep 2023 00:00:00 GMT We're making it easier for you to build multi-tenant administrative dashboards in your SaaS application by optionally including organization members’ RBAC roles in the Auth0 Management API [GET Organization Members](https://auth0.com/docs/api/management/v2/organizations/get-members) response. This will allow you to show your customers' administrators a list of the end-users on their team, along with their access levels, using a single API request. [Click here to learn more](https://auth0.com/docs/manage-users/organizations/organizations-overview) about how Organizations can help with authentication and authorization for your B2B & SaaS applications. https://auth0.com/changelog#78X6urpiHJK6SY0fUw4zyh Fri, 22 Sep 2023 00:00:00 GMT Announcing the general availability release of Auth0 Terraform Provider v1! This milestone release introduces a plethora of new features, enhancements, and bug fixes that make managing your Auth0 infrastructure with Terraform more efficient and reliable than ever. __What's New in v1:__ - __Data Sources for Resources:__ Fetch and reference data from existing Auth0 resources effortlessly. Retrieve specific details or configuration settings from Auth0 entities and use them within your Terraform code. - __Resource Relationships:__ Establish and manage relationships between Auth0 resources with ease. Whether it's 1:1 or 1:many relationships, v1 provides the flexibility to model connections and dependencies accurately. - __Zero Downtime Client Secret Rotation:__ Rotate client secrets without causing disruptions to your applications or users. This version includes built-in support for zero downtime during client secret rotation. - __Bug Fixes and Stability Enhancements:__ We've focused on improving the stability and reliability of the Auth0 Terraform Provider. This release includes numerous bug fixes and enhancements to meet the diverse needs of the developer community. To get started with Auth0 Terraform Provider v1, visit the official [Terraform Registry](https://registry.terraform.io/providers/auth0/auth0/latest). If you're migrating from a previous v0 build, please consult the [migration guide](https://github.com/auth0/terraform-provider-auth0/blob/main/MIGRATION_GUIDE.md) as this release includes breaking changes. https://auth0.com/changelog#515sGCwZW2u6bD06rzS1uC Fri, 22 Sep 2023 00:00:00 GMT We have updated [Quota Utilization Reports](https://auth0.com/docs/troubleshoot/customer-support/manage-subscriptions/monitor-subscription-usage#quota-utilization) to include the Private Cloud Environment name within the 'Environment' column of these reports instead of the previously inferred values of "Production or Development". Now you can leverage the actual names for the Private Cloud environment to have a better understanding of your subscription usage. https://auth0.com/changelog#49VX9RVprIV8rKkhmxZZSI Fri, 15 Sep 2023 00:00:00 GMT After a successful authentication to the Teams URL [https://accounts.auth0.com](https://accounts.auth0.com "Teams Login"), you will be automatically redirected to your Teams dashboard without the need to enter either your Team name or Team permalink. https://auth0.com/changelog#291fGarNAc3O7NI0p7UFMD Thu, 14 Sep 2023 00:00:00 GMT We are excited to share that the [Auth0 Support Center](https://support.auth0.com/) has been updated to integrate Auth0 'Recommended Articles' within the Ticket Creation Flow. Now, as you enter in a summary of your request or issue in a ticket, you'll be presented with matched recommended articles to help troubleshoot your request or issue. Learn more about Auth0 Support Tickets [here](https://auth0.com/docs/troubleshoot/customer-support/open-and-manage-support-tickets). https://auth0.com/changelog#4E9tfp9EUXErvm4p2C5H93 Thu, 14 Sep 2023 00:00:00 GMT Annoucning the general availability of node-auth0 v4. This release brings a wealth of exciting new features and improvements including: - Rewritten from the ground up in TypeScript - Full up-to-date Types for methods, request parameters, bodies, errors, and responses. - Support for Edge runtimes - A customizable modern network stack and more! To get started with the node-auth0 v4 SDK, check out the repo on [GitHub](https://github.com/auth0/node-auth0/releases/tag/v4.0.0 "GitHub"). If you're coming from a previous version, please check out the [migration guide](https://github.com/auth0/node-auth0/blob/beta/v4_MIGRATION_GUIDE.md "Migration guide") as this release includes breaking changes. https://auth0.com/changelog#4sntWkfdI2Vbm8fgvFYsdn Fri, 08 Sep 2023 00:00:00 GMT With our recent release, the Guardian App now supports both passcodes and biometrics as a layer of security for the app on iOS. You can add a passcode, touch ID or face ID from within the app settings. This is a safeguard to ensure the information you manage within the app is protected if you lose your phone or if it is stolen – any easy measure to take to protect yourself! *Note: this feature was previously released on Android and is already supported on that app.* https://auth0.com/changelog#5PRVOusE11BaslGb4Xpruw Thu, 07 Sep 2023 00:00:00 GMT We're excited to introduce passkeys, a cutting-edge feature now available in **Early Access**! With passkeys, Auth0 customers can transform their sign-in process, enjoying faster, easier, and more secure access to websites and applications. Passkeys are FIDO credentials that are discoverable by browsers or security keys for passwordless authentication. Based on FIDO Alliance and World Wide Web Consortium (W3C) standards, passkeys replace the need for passwords by using cryptographic key pairs, ensuring robust protection against phishing and enhancing the overall user experience. For your existing users with passwords, we offer a seamless progressive enrollment process to add passkeys for subsequent logins, ensuring a smooth transition to enhanced security. Before you get started, please note that there are certain prerequisites to enable passkeys. Make sure to review these requirements in our [documentation](https://auth0.com/docs/authenticate/database-connections/passkeys) to ensure a seamless setup process. With **Early Access**, this feature will be gradually rolled out to all customers across all plans, starting September 7th, 2023 . Initially, it'll be available in the public cloud, followed by a rollout in private cloud environments a few weeks later as per our release pipeline. For our valued Private Cloud customers, enabling passkeys is as simple as reaching out to your account team for assistance. To learn more about our release stages, please refer to [Product Release Stages](https://auth0.com/docs/troubleshoot/product-lifecycle/product-release-stages). Curious about setting up passkeys? Explore our [online documentation](https://auth0.com/docs/authenticate/database-connections/passkeys) for step-by-step guidance on configuration. https://auth0.com/changelog#3xsCH9WF2UFDdWdQ7wclSB Wed, 06 Sep 2023 00:00:00 GMT Users now have the option to choose a dark theme when viewing Auth0 [docs](https://auth0.com/docs). Anyone wanting to try it can toggle the theme using the button on the top right corner of the screen. https://auth0.com/changelog#1sxx3HiTr2PG9t7V9ES5md Tue, 05 Sep 2023 00:00:00 GMT We are excited to share that we have added new production readiness checks to our [Readiness Check](https://auth0.com/docs/deploy-monitor/pre-deployment-checks/how-to-run-production-checks) tool in the Auth0 Management Dashboard. The Readiness Check tool helps Tenant Administrators review configuration issues for a specified tenant to ensure optimal setup before going live. __‘Required’ Readiness Checks Added:__ - All Actions are running a recommended version of NodeJS - Hooks are being deprecated and must be migrated to Actions - Rules are being deprecated and must be migrated to Actions - Tenant is set to use a recommended default NodeJS version - Use Custom Domain in Branded Email Templates Learn more about 'Required' Checks [here](https://auth0.com/docs/deploy-monitor/pre-deployment-checks/production-check-required-fixes). __‘Recommended’ Readiness Checks Added:__ - Configure Log Streaming - Enable New Universal Login - Set Application Login URI - Set Tenant Login URI - Set Tenant Allowed Logout URLs Learn more about 'Recommended' Checks [here](https://auth0.com/docs/deploy-monitor/pre-deployment-checks/production-check-recommended-fixes). https://auth0.com/changelog#1L7C6vTeVNRvABCRGVVHUM Thu, 31 Aug 2023 00:00:00 GMT Give your eyes a break or just switch it up for a bit of a change. Whether it’s for higher contrast, glare reduction or if it just comes down to your personal preference, check out Dark Mode on the Guardian App. The Guardian App now supports both dark and light themes. From the Settings menu, users can now select the display theme: light, dark, or system default. https://auth0.com/changelog#2HEw7agYNQzf75tUrcrQQi Wed, 30 Aug 2023 00:00:00 GMT Starting today, we are rolling out advanced capabilities of SAML Mapping, Root-Level User Attributes, and Access Token Scope to Actions. Developers can effectively leverage these newly added capabilities in Actions to unblock unique use cases and complete migrations from legacy Rules and Hooks. __Key Highlights__ __SAML Mapping and Configuration__: Developers can effectively use SAML mapping to map user attributes and claims from SAML assertion assertions to user profiles with Actions when creating and customizing the login and user registration flow. __Access Token Scope__: Developers can freely add or remove claims scopes with newly created custom API with security enhancement. __Root-Level User Attributes:__ Developers can start using standard properties such as user.roles, user.groups, user.permissions to understand more customer profiles and help protect user interests, To learn more about the feature you can go through our supporting resource below: [Blog Post](https://auth0.com/blog/unlock-deeper-customization-in-actions-with-three-new-capabilities/) | [Documentation](https://auth0.com/docs/customize/actions/limitations) | [Migration Guide](https://auth0.com/extensibility/movetoactions) https://auth0.com/changelog#7ehzhKPxJV6jvEgk83Y9to Tue, 15 Aug 2023 00:00:00 GMT We are thrilled to announce the general availability of react-native-auth0 v3! This release is a significant transformation in our React Native SDK, aligning with the latest developments in the React Native framework. __Key Highlights__ - __Strong Typing with TypeScript:__ Migrated to TypeScript for native type support and enhanced development support. - __Hooked on Hooks:__ Full support of SDK through Hooks, including Authentication APIs. - __Dynamic User Object:__ Real-time updates and improved credentials management through Hooks. - __Single Line Expo Integration:__ Seamless integration with just one line of configuration. - __Android 12 Support:__ Compatibility with the latest Android version. To get started with the react-native-auth0 v3 SDK, check out the repo on [GitHub](https://github.com/auth0/react-native-auth0 "react-native-auth0"). If you are coming from a previous version, please check out the [migration guide](https://github.com/auth0/react-native-auth0/blob/v3.0.0/MIGRATION_GUIDE.md "Migration guide") as this release includes breaking changes. https://auth0.com/changelog#2lS4FuDfCNZwa5wSqWBlfA Wed, 09 Aug 2023 00:00:00 GMT To make Organizations easier to use, Auth0 now supports using the Organization Name to launch login flows via the [Authentication API](https://auth0.com/docs/api/authentication). More specifically, the [/authorize](https://auth0.com/docs/api/authentication#authorize-application) and [/samlp (SAML)](https://auth0.com/docs/api/authentication#saml) endpoints have now the option to accept Organization Names instead of Organization IDs. To learn more about how to activate and use this feature, as well as the security implications to bear in mind, [read more details in Auth0 docs](https://auth0.com/docs/manage-users/organizations/configure-organizations/use-org-name-authentication-api).  https://auth0.com/changelog#1mdFXzOHtZlQTvaHPKWYwT Thu, 03 Aug 2023 00:00:00 GMT We have expanded our captcha response providers in our Bot Detection product. Now, you can seamlessly integrate with Friendly Captcha and hCaptcha. Friendly Captcha is a proof of work captcha. Not only does it provide a frictionless user experience, but it also imposes significant computational costs on attackers, making it highly effective against malicious activities. In addition, we’ve added hCaptcha as an alternative to reCAPTCHA Enterprise. hCaptcha offers a similar user experience while offering different stances on privacy and data collection. It also provides wider regional availability, ensuring that our customers can benefit from comprehensive bot detection regardless of their location. To learn more about our Bot Detection solution, please refer to our [online documentation](https://auth0.com/docs/secure/attack-protection/bot-detection#configure-bot-detection). https://auth0.com/changelog#2MhZkQbh7vrKVSSpufxZVg Thu, 27 Jul 2023 00:00:00 GMT The Guardian iOS and Andriod SDKs support custom domains! With a custom domain, your users feel confident that they are providing their credentials to the right party. Authentication happens within the context of your brand which helps you build brand loyalty. Users are not redirected to a third-party site that breaks the branding context. This prevents users from becoming confused about whether they are still making a transaction or operation with you. Containing your authentication services in one place makes your application architecture more maintainable. Applications gain only the access they need and authentication services scale easily. Other security benefits of using a custom domain include: - Some browsers, by default, make it difficult to communicate in an iFrame if you don't have a shared domain. - It's harder to phish your domain if you have a vanity URL because the phisher must create a vanity URL to mimic yours. For example, with a custom domain, you can use your own certificate to get an Extended Validation, making phishing harder. https://auth0.com/changelog#7brExNHNLtHshVHvayBm6L Thu, 27 Jul 2023 00:00:00 GMT Now announcing the Bot Detection Slider for Bot Detection! We have added the ability to adjust the level of friction of the “When Risky” setting on our Bot Detection model. There are three settings to choose from __Low__, __Medium__, and __High__. __Low__ - a more relaxed security stance, resulting in less friction for users. __Medium__ - a balanced and recommended setting for a balanced experience of security and user friction __High__ - will take a more strict security approach, increasing user friction but applying a more assertive security stance. With this new addition, the ability to adjust your detection to match your business needs and risk tolerance is just a setting away! See the online documentation [here](https://auth0.com/docs/secure/attack-protection/bot-detection#use-bot-detection-slider), for additional information on bot detection and on how to use the bot detection slider. https://auth0.com/changelog#4iDjG2MjcjSymJYEg7b1Ln Wed, 26 Jul 2023 00:00:00 GMT Security policies allow team owners to configure and implement access rules that adhere to your organization's IT security policies for access to their Auth0 accounts. SSO Enforcement as one of the security policies gives you the option to mandate login to Teams and Manage Dashboard through the organization's enterprise IdP. Follow the link to learn more. [Configure Security Policies](https://auth0.com/docs/get-started/tenant-settings/auth0-teams#configure-security-policies "Configure Security Policies")  https://auth0.com/changelog#6fSfJa7wuvlNdCcyeyeny3 Mon, 17 Jul 2023 00:00:00 GMT We have added a new Auth0 Management Dashboard Role: __Editor - Organizations__. Now, we’ve created a way for you to provide more specific Organizations Administration access in order to allow other tenant members to create, configure, and maintain your Organizations. To learn more about the role and what plans have access, see our [Dashboard Access by Role](https://auth0.com/docs/get-started/manage-dashboard-access/feature-access-by-role "Dashboard Access by Role") documentation https://auth0.com/changelog#1EibN7f8rd3lDLN5bvXQnk Thu, 13 Jul 2023 00:00:00 GMT Auth0 now supports Microsoft 365 Modern Authentication and Azure Communications Services for outbound email services. Customers can use Outlook on Microsoft 365 or the recently released Azure Communication Services as preferred authentication methods. To learn more, read [Configure Microsoft 365 Exchange Online as External SMTP Email Provider](https://auth0.com/docs/customize/email/smtp-email-providers/configure-365-exchange-as-smtp-email-provider) or [Configure Azure Communication Services as External SMTP Email Provider](https://auth0.com/docs/customize/email/smtp-email-providers/configure-azure-comm-service-as-smtp-email-provider). https://auth0.com/changelog#3yVUYwYINRo7edOw8tP7kG Wed, 12 Jul 2023 00:00:00 GMT OIDC and Okta Workforce connections now support PKCE and attribute mapping. PKCE enables you to build more secure connections between Auth0 and your connected identity provider. With attribute mapping you can sync more attributes from your IdP into your Auth0 tenant. This enables you to ensure your tenant is leveraging the latest user information from the connected IdP. To learn more about both of these improvements check out our [documentation](https://auth0.com/docs/authenticate/identity-providers/enterprise-identity-providers/configure-pkce-claim-mapping-for-oidc). https://auth0.com/changelog#1MrocxqJSmq8ry2HLjdve3 Tue, 11 Jul 2023 00:00:00 GMT Node.js 18 is now generally available (GA) for Actions, Rules and Hooks. Starting today, all tenants in public cloud will receive Node 18 support. Customers on Converged private cloud platform will receive Node 18 in the following weeks subject to your private cloud release schedule. To adhere to best code security practices, we strongly encourage customers to update to Node 18, before September 11th, 2023 when Node 16 long-term support ends. Customer can start using Node 18 in their tenants setting and/or when creating new Actions in the Auth0 Manage Dashboard.  https://auth0.com/changelog#2xzzvhZDXiRbThfc7XsfO Fri, 07 Jul 2023 00:00:00 GMT We have updated the [CIC Production Readiness Checks](https://auth0.com/docs/deploy-monitor/pre-deployment-checks/how-to-run-production-checks "Run Production Readiness Checks") tool found in the Auth0 Management Dashboard. Documentation links have been updated and "Configure" navigation has been improved to allow for easier use of the *Production Readiness Checks* tool. https://auth0.com/changelog#6mJnzbmRSkCJnTXf4aRccE Fri, 07 Jul 2023 00:00:00 GMT You requested the ability to change team names, and we have successfully delivered. To change the team name, go to the Teams dashboard, click the Settings icon, and update the Team Name in the Team information section. See the online [documentation](https://auth0.com/docs/get-started/tenant-settings/auth0-teams#update-team-name "Update Team Name") for additional information on changing team name or Teams in general.  https://auth0.com/changelog#2xlU4xGJmvpTJ7kQ3ENARy Wed, 28 Jun 2023 00:00:00 GMT Today we’ve released upgrades to how login flows work for applications using Organizations to build [multi-tenant SaaS apps](https://auth0.com/docs/get-started/auth0-overview/create-tenants/multi-tenant-apps-best-practices). We’ve created options for tying identifier first [Home Realm Discovery](https://auth0.com/docs/authenticate/login/auth0-universal-login/identifier-first#define-home-realm-discovery-identity-providers) to Connections with IdP domains associated with Organizations. We’ve also released a New Universal Login Prompt that displays when configured for end users with multiple organization memberships. Those users can now select which Organization they want to login with after authenticating.  You can find out more about how these new flows work in [the online documentation](https://auth0.com/docs/manage-users/organizations/login-flows-for-organizations). https://auth0.com/changelog#1V8kf4hfJkoKHp0qonJtuQ Thu, 01 Jun 2023 00:00:00 GMT Auth0 Enterprise plans can now use OIDC Back-Channel Logout capabilities for Session Management in their production tenants. This allows you to implement responsive single-logout experiences for end-users, avoiding limitations imposed by third-party cookie browser restrictions and setting the foundation for remote logout capabilities. When configured, any SSO application can leverage the session identifier (sid) included in ID Tokens to react to the session termination events received in OIDC Back-Channel Logout Tokens. The feature is available upon opt-in request to all enterprise plans and will be automatically enabled by default soon after. You can learn more about it in our [online documentation](https://auth0.com/docs/authenticate/login/logout/back-channel-logout) https://auth0.com/changelog#6GcHJVMeEAxUhcTDY3zX1C Tue, 23 May 2023 00:00:00 GMT Six new languages are now available as supported translations for Universal Login: - Basque: `eu-ES` - Catalan: `ca-ES` - Galician: `gl-ES` - Norwegian: `no` - Norwegian Nynorsk: `nn` - Welsh: `cy` For additional information on languages and localization, see the [online documentation](https://auth0.com/docs/customize/internationalization-and-localization/universal-login-internationalization). https://auth0.com/changelog#2bXDqwJ2QqDjhR0opj9WVW Thu, 18 May 2023 00:00:00 GMT We are excited to announce that the Guardian App supports localization. The app is available, as an authenticator, to deliver push notifications to a user’s pre-registered device (mobile phone or tablet). In addition to English - US (en-us), we support French - Canada (fr-ca), French - France (fr), Portuguese - Brazil (pt-br), and Spanish - Argentina (es-ar). Users can select the language in the app setting; the default is based on the user's registered device setting. You can learn more about the Guardian App in our [public docs](https://auth0.com/docs/secure/multi-factor-authentication/auth0-guardian). https://auth0.com/changelog#34aHLhUlH4SRtwgjIHlTKQ Tue, 16 May 2023 00:00:00 GMT Beginning __October 16th, 2023__, Rules & Hooks will no longer be available to new tenants. Actions is our offering which unifies all the extensibility of Rules and Hooks and more. For existing users of Rules & Hooks, these features will no longer be available as of __November 18th, 2024__. To learn more about migrating to Auth0 Actions, read this [migration guide](https://auth0.com/extensibility/movetoactions). https://auth0.com/changelog#3DJe2PkyGYZMZfQg2nApxe Thu, 04 May 2023 00:00:00 GMT Auth0 Enterprise customers on Converged Platform can now use Security Center, a new security feature that provides real time monitoring of potential security events. It provides a more proactive approach to our customers on understanding and tweaking their attack protection program, and further strengthen the security posture with real-time monitoring capability of common attack types and metrics on the current attack protection features. The feature will be rolled out in stages to all Enterprise customers using Private and Public Cloud on the Converged Platform beginning on May 4, 2023. Security Center includes trends on common threat behaviors- including credential stuffing attacks, sign up attacks, and MFA bypass attacks. It also provides threat monitoring capability on our current attack protection program - including Bot Detection, Brute-force Protection, Suspicious IP Throttling and Breached Password Detection. The threat monitoring tool helps our customers understand the current attack trends on their tenant traffic, and then implement countermeasures by enabling and tweaking the Auth0 Attack Protection feature sets. To learn more, please refer [Security Center](https://auth0.com/docs/secure/security-center) in the Auth0 Docs. https://auth0.com/changelog#i4uEafyS6aD1Q79ugYzwO Thu, 04 May 2023 00:00:00 GMT Auth0 now supports **Private Key JWT in [General Availability](https://auth0.com/docs/troubleshoot/product-lifecycle/product-release-stages#general-availability), a more secure and flexible way to authenticate your Auth0 Apps**: * Enhance security by generating **asymmetric public/private key pairs** for use as credentials. Once you register the public key with Auth0, you use the private key to sign the request sent to the Authentication API for a more secure experience. * Renew credentials seamlessly with **key rotation**. Have two keys active simultaneously for **zero downtime**.  Private Key JWT is our first protocol capability shipped to enable **[FAPI](https://openid.net/wg/fapi/) compliance** for Financial Grade APIs and other Highly Regulated Identity scenarios. Stay tuned for further updates! Private Key JWT is available to customers on the Enterprise subscription plan. To activate, visit the new Credentials tab within the Auth0 Dashboard or the Management API. The main Auth0 SDK also support this new App Authentication Method. Read our [Auth0 Docs](https://auth0.com/docs/secure/application-credentials) to learn more. https://auth0.com/changelog#1l61da62tGtdazcsruvtOg Thu, 27 Apr 2023 00:00:00 GMT The Auth0 Developer Experience team is in the process of deprecating the following repos: * [express-oauth2-bearer](https://github.com/auth0/express-oauth2-bearer) | [migration guide](https://github.com/auth0/express-oauth2-bearer/blob/master/MIGRATION_GUIDE.md) * [angular-auth0](https://github.com/auth0/angular-auth0) | [migration guide](https://github.com/auth0/angular-auth0/blob/master/MIGRATION_GUIDE.md) * [auth0-cordova](https://github.com/auth0/auth0-cordova) | [migration guide](https://github.com/auth0/auth0-cordova/blob/master/MIGRATION_GUIDE.md) These libraries will no longer be supported after their end of life date. For express-oauth2-bearer, the EOL date is June 30, 2023. For angular-auth0 and auth0-cordova, the EOL date is October 31, 2023. Please make plans to remove these libraries from any active projects before these dates. For each repo we have also provided a migration guide to further assist you. If you have any questions or concerns, please reach out to us on GitHub. https://auth0.com/changelog#2PZvNAYnf5vyzD1pqP7D6 Thu, 20 Apr 2023 00:00:00 GMT Auth0 is excited to announce the release of an enhanced search experience on the [Auth0 Support Center](https://support.auth0.com/). Now you can search and filter across Auth0 Docs, Auth0 Community, and Auth0 Blog in a single place without leaving Support Center. https://auth0.com/changelog#5aqto9RzGFwTRC9dAI1CMG Tue, 18 Apr 2023 00:00:00 GMT We've added Adaptive MFA Risk Ratings Score in Actions to all environments! Developers today can effectively use __event.authentication.riskAssessment__ for adaptive MFA risk score and leverage the details about risk assessments obtained during the login flow in PostLogin@v3 trigger. To learn more about this feature, visit our [doc site](https://auth0.com/docs/customize/actions/flows-and-triggers/login-flow/event-object). As we are adding values to Actions, we encourage all customers to move from Rules/Hooks to Actions [starting today](https://auth0.com/extensibility/movetoactions). https://auth0.com/changelog#2pP4vSZ2dWqiGSJqbNidXJ Mon, 17 Apr 2023 00:00:00 GMT Announcing the [general availability](https://auth0.com/docs/troubleshoot/product-lifecycle/product-release-stages#general-availability "General Availability Description") release of Auth0 CLI v1, a significant milestone moving Auth0 CLI from an experimental build to an officially supported tool, offering a range of powerful features and enhancements tailored to streamline your Auth0 development process. Key highlights include an improved authentication process, allowing you to authenticate as a user via device flow or as a machine with client credentials; the new 'api' command for making authenticated HTTP requests to the Management API directly; and over 70 other improvements, feature enhancements and bug fixes. To learn more and start building with Auth0 CLI, check out our [Release Notes](https://github.com/auth0/auth0-cli/releases/tag/v1.0.0 "Auth0 CLI v1 Release Notes") on GitHub. If you are coming from a previous version of Auth0 CLI, please refer to the [v1 Migration Guide](https://github.com/auth0/auth0-cli/blob/v1.0.0/MIGRATION_GUIDE.md "v1 Migration Guide") as this release includes breaking changes. https://auth0.com/changelog#EFcog970d7PKZjOB7ZzBf Wed, 12 Apr 2023 00:00:00 GMT ### Organization Membership added to User Search 🕵️‍♀️ In order to support our customers with multi-tenant applications, we’ve updated [User Search](https://auth0.com/docs/manage-users/user-search) to support the `organization_id` parameter so that you can search for and filter users based on their [Organization](https://auth0.com/docs/manage-users/organizations) membership. This is available in the Manage Dashboard for your support teams as well as via the [Management API](https://auth0.com/docs/api/management/v2#!/Users/get_users) so that you can enable your business customers' team members to search for users in their Organization from within your application. Details and examples can be found [here](https://auth0.com/docs/manage-users/organizations/configure-organizations/search-organization-members). https://auth0.com/changelog#7cFL1GpbYmlfOjIu4ekZmT Tue, 04 Apr 2023 00:00:00 GMT The Dashboard Activity page has been reimagined and now provides dashboard admins with access to visualized metrics that give them a high-level understanding of their tenant application signup and login data. Initially, Tenants will be able to track metrics over time, such as Active Users, Sign-ups, and Retention, in addition to Failed logins. Auth0 will consistently add additional functionality and features to improve the user experience. This feature is now available to all customers. You can learn more in our [public docs](https://auth0.com/docs/get-started/auth0-overview/dashboard/activity). https://auth0.com/changelog#76LhY0Ts0zVpEJgZdKaQpS Tue, 04 Apr 2023 00:00:00 GMT Announcing General Availability of SMS and Email based passwordless authentication on New Universal Login. Previously, these passwordless flows were only available on Classic Universal Login. Now, you can use passwordless with many of the existing features of New Universal Login such as [No Code Customization tools](https://auth0.com/docs/customize/universal-login-pages/customize-new-universal-login-with-the-no-code-editor) and the [Custom Text Editor](https://auth0.com/docs/customize/universal-login-pages/customize-login-text-prompts). To learn more about the feature you can go through our documentation [here](https://auth0.com/docs/authenticate/passwordless/passwordless-with-new-universal-login). https://auth0.com/changelog#3Zrrx3Dnrzul1DnnZe4wVf Tue, 04 Apr 2023 00:00:00 GMT We're delighted to announce General Availability of the latest Public Cloud environment in United Kingdom (UK)! Auth0 strives to offer the best CIAM solution in all aspects. The addition of this region (to Public Cloud environments available globally) enables low-latency IAM experience and addreses data residency requirements for UK customers. The UK region has been available in Beta mode, and thousands of customers have experienced it successfully since November 2022. Auth0 customers are now able to choose the UK region during tenant creation process. The newly created Auth0 tenant will have [tenant].uk.auth0.com domain name.  https://auth0.com/changelog#FWzxQiCjIZaojg7XlSxkT Fri, 10 Mar 2023 00:00:00 GMT A new configuration option is available for factor enrollment flows for end-users on New Universal Login. With this new setting, Administrators have the ability to configure their tenants to prompt end-users to select their preferred factor instead of relying on the factor being automatically selected as default by Auth0. You can learn more about this new setting, __Show Multi-factor Authentication Options__, in our documentation [here](https://auth0.com/docs/secure/multi-factor-authentication/enable-mfa "here"). https://auth0.com/changelog#5cAGziNyUpvsI4Bav3Dz6O Fri, 24 Feb 2023 00:00:00 GMT Announcing the [general availability](https://auth0.com/docs/troubleshoot/product-lifecycle/product-release-stages#general-availability) release of auth0-java v2, the latest release of our authentication and management SDK for Java applications. This release brings a variety of exciting new features and improvements, including: - A new pluggable HTTP component with a configurable default implementation, making it easier to handle simple and complex use cases. - HTTP request configuration enabled for all requests, eliminating the need to downcast and simplifying our internal request class hierarchy. - HTTP response information is returned for all API calls, making it easier to retrieve important information, such as response headers, without having to inspect logs. - Improvements to the Authentication API client, like no longer requiring a client secret, allowing callers of APIs that don't need a secret to use the client. To learn more and start building with our latest Java SDK, check out the repo on [GitHub](https://github.com/auth0/auth0-java). And for developers upgrading from previous versions you can check out our migration guide [here](https://github.com/auth0/auth0-java/blob/2.0.0/MIGRATION_GUIDE.md). https://auth0.com/changelog#2g6Tjx3nEzcbpOCalZpdXF Tue, 14 Feb 2023 00:00:00 GMT Customers interested in private cloud deployments can now opt for even greater performance thresholds to support their high volume authentication requirements. We’ve rolled out support for two new Private Cloud tiers supporting up to 180,000 and 360,000 requests per minute (or 3,000 and 6,000 requests per second, respectively). These new tiers are currently available for Private Cloud deployments on AWS. To learn more, visit the following Private Cloud [documentation page](https://auth0.com/docs/deploy-monitor/deploy-private-cloud/private-cloud-on-aws). https://auth0.com/changelog#7uylYRiCCUuHV0caazvBkf Fri, 10 Feb 2023 00:00:00 GMT We've updated the Private Instances page in the [Auth0 Support Center](https://support.auth0.com/) to display environment name, version, deployment type, and cloud provider. https://auth0.com/changelog#EIiBQRnX8dbZf1Mcg1PDo Fri, 10 Feb 2023 00:00:00 GMT We've updated the [subscription quota reports](https://support.auth0.com/reports/quota) to also show Active Enterprise Connections usage. This is Generally Available for both Private and Public Cloud customers.  Additionally Auth0 Private Cloud customers can now view their feature usage (eg. Machine to Machine Auth, MFA), for their respective private instances. For more information on subscription usage, please see the documentation [here](https://auth0.com/docs/troubleshoot/customer-support/manage-subscriptions/monitor-subscription-usage). https://auth0.com/changelog#1FoU1VjMcPvAR4Za1IgKI4 Tue, 07 Feb 2023 00:00:00 GMT Auth0 has released Security Center, a new security feature to provide our customers with real-time monitoring of potential security events as they happen. It provides a more proactive approach to our customers on understanding and tweaking their attack protection program, and further strengthen the security posture with real-time monitoring capability of common attack types and metrics on the current attack protection features. This feature is in Early Access and will initially be rolled out in stages to all Enterprise customers using Private Cloud on the Converged Platform beginning on February 7, 2023. To learn more about our release stages, read [Product Release Stages](https://auth0.com/docs/troubleshoot/product-lifecycle/product-release-stages). The feature can be accessed from [Auth0 Dashboard](https://manage.auth0.com/#/security/center). Security Center in Early Access includes trends on common threat behaviours- including credential stuffing attacks, sign up attacks, and MFA bypass attacks. It also provides threat monitoring capability on our current attack protection program - including Bot Detection, Brute-force Protection, Suspicious IP Throttling and Breached Password Detection. The threat monitoring tool helps our customers understand the current attack trends on their tenant traffic, and then implement countermeasures by enabling and tweaking the Auth0 Attack Protection feature sets. To learn more, read [Security Center](https://auth0.com/docs/secure/security-center) in the Auth0 Docs. https://auth0.com/changelog#3GeWJqJAg3stXy1Sjuwl7p Tue, 07 Feb 2023 00:00:00 GMT Announcing Early Access of SMS and Email based passwordless authentication on New Universal Login. Previously, these passwordless flows were only available on Classic Universal Login. Now, you can use passwordless with many of the existing features of New Universal Login such as [Organizations](https://auth0.com/docs/manage-users/organizations/organizations-overview) and our [No Code Customization tools](https://auth0.com/docs/customize/universal-login-pages/customize-new-universal-login-with-the-no-code-editor). To learn more about the feature you can go through our documentation [here](https://auth0.com/docs/authenticate/passwordless/passwordless-with-new-universal-login). https://auth0.com/changelog#4Uq02f7ehg0CROR7nM59Kx Fri, 20 Jan 2023 00:00:00 GMT Announcing the [general availability](https://auth0.com/docs/troubleshoot/product-lifecycle/product-release-stages#general-availability) release of auth0-angular, auth0-react, and auth0-vue v2, the latest update to our family of single page application SDKs. With the v2 releases, we've introudced all of the improvements that were released as part of [Auth0-SPA-JS v2](https://github.com/auth0/auth0-spa-js/releases/tag/v2.0.0) and more! To learn more about the latest release of each SDK and get started building, checkout our Quickstarts and SDKs on GitHub. - Quickstarts: [Angular](https://auth0.com/docs/quickstart/spa/angular/interactive) | [React](https://auth0.com/docs/quickstart/spa/react/interactive) | [Vue](https://auth0.com/docs/quickstart/spa/vuejs/interactive) - GitHub: [Angular](https://github.com/auth0/auth0-angular/releases/tag/v2.0.0) | [React](https://github.com/auth0/auth0-react/releases/tag/v2.0.0) | [Vue](https://github.com/auth0/auth0-vue/releases/tag/v2.0.0) https://auth0.com/changelog#uxd0IF8ufYS6F1dzIffg5 Wed, 18 Jan 2023 00:00:00 GMT We have expanded our Bot Detection to now protect passwordless flows! With Bot Detection for your Passwordless Flows, you can further protect your users and tenants from abuse. When enabled, Bot Detection for Passwordless can block suspected bot traffic by requiring CAPTCHA. Deferring the bot and helping reduce the excess cost of sending emails and SMS to your users. For more information on enabling bot protection on your passwordless flows, please see the documentation [here](https://auth0.com/docs/secure/attack-protection/bot-detection/bot-detection-passwordless-flows). https://auth0.com/changelog#5RQbyeSRAKiEgbMScSA8Ym Wed, 11 Jan 2023 00:00:00 GMT The Dashboard Activity page has been reimagined and now provides tenants with access to data and charts that give them a high-level understanding of their tenant data. Initially, Tenants will be able to track metrics over time such as Active Users, Sign-ups, and Retention in addition to Failed logins. Auth0 will consistently add additional functionality and features to improve the user experience. This feature is now available to all public cloud tenants. You can learn more in our [public docs](https://auth0.com/docs/get-started/dashboard/activity). https://auth0.com/changelog#inaEqKeQUPa8tfeVHZO3d Mon, 09 Jan 2023 00:00:00 GMT __No-Code Text customization is now available__ We are expanding our No-Code toolset with the release of Text Customization. With our new text customization editor, customers can quickly and easily change all the text fields of the login box with zero coding required. This will make it easy for our application builders to use our platform and enable non-technical teams to implement changes.  This also includes the ability to customize text per language for any language supported by New Universal Login. Changes will show in the editor with a visual prompt preview. In addition, a JSON editor is available alongside the visual editor. For more information see the documentation here: [Documentation for No Code Custom Text Editor](https://auth0.com/docs/customize/universal-login-pages/customize-login-text-prompts "Documentation for No Code Custom Text Editor") https://auth0.com/changelog#2nR2J49BkF9vfpAhnnQE0d Fri, 06 Jan 2023 00:00:00 GMT Feel free to dim the lights; dark mode is now available as a beta feature in the Manage dashboard! If you wish to try it out, you can enable this feature under your user profile. https://auth0.com/changelog#1I9j2hApFGCAagfDvqWcUP Fri, 06 Jan 2023 00:00:00 GMT We have changed the behaviour of the Manage Dashboard to retain a user’s place in the Manage application when they switch tenants. This will save users the trouble of navigating through the Manage application when they want to make a common set of changes to more than one tenant. https://auth0.com/changelog#3kxYB1m3O6wySflmKXxNXS Thu, 05 Jan 2023 00:00:00 GMT SAML IDP Initiated Login now supports Organizations. When using a SAML Enterprise Connection within Organizations, the Organizations ID will be appended so that the end user is directed to the current Organization. When using IdP-Initiated SSO, make sure to include the connection parameter in the post-back URL: https://YOUR_DOMAIN/login/callback?connection={yourConnectionName} If you are using the Organizations feature you can also optionally include an organization parameter containing the organization id of the desired organization: https://YOUR_DOMAIN/login/callback?connection={yourConnectionName}&organization={yourCustomersOrganizationId} For more information, please see the documentaton [here](https://auth0.com/docs/authenticate/protocols/saml/saml-sso-integrations/identity-provider-initiated-single-sign-on#post-back-url "Configuring IDP Initiated SAML for Organizations"). https://auth0.com/changelog#1E3Gjq0X8ydC7xAdNqvpIp Mon, 05 Dec 2022 00:00:00 GMT Announcing the launch of Status Page support for our Private Cloud offering for customers on the Converged Platform. To check the status of Private Cloud Environments, navigate to Status.Auth0.com and authenticate via “Private Cloud Login” using the same account credentials used to access the CIC (Auth0) Support Center. To go back to the Auth0 Public Cloud Status page, select Auth0 Public Cloud Status from the top-right navigation. For more information see: [Check Auth0 Status](https://auth0.com/docs/deploy-monitor/monitor/check-auth0-status "Check Auth0 Status") https://auth0.com/changelog#7fpLosoYnDTVsukvkQPqIl Fri, 02 Dec 2022 00:00:00 GMT Announcing the [general availability](https://auth0.com/docs/troubleshoot/product-lifecycle/product-release-stages#general-availability) release of nextjs-auth0 v2, our latest update for adding authentication to NextJS applications. In v2 of nextjs-auth0 we added new middleware support that runs on the Next.js Edge Runtime for consolidating route declarations, a new declarative routing API greatly that simplifies route handler creation, and improved testing support that makes testing authentication in your app a breeze. To learn more and get started building with our latest NextJS SDK, checkout our [Quickstart](https://auth0.com/docs/quickstart/webapp/nextjs/interactive), and SDK on [GitHub](https://github.com/auth0/nextjs-auth0). https://auth0.com/changelog#4jTfmUFSKfnva4jY70lcLq Tue, 29 Nov 2022 00:00:00 GMT We are bringing caching in Actions to the public cloud. Available immediately, customers can use *api.cache* to store and retrieve data that persists across executions. Requesting and storing tokens over time for external services or machine-to-machine exchanges can drive up overhead costs and further cause latency issues. So we created Actions caching, a means to minimize the number of machine-to-machine access tokens generated to authenticate with Auth0 APIs. Check out our detailed guidance on [Auth0 Docs](https://auth0.com/docs/customize/actions/flows-and-triggers/login-flow/api-object), and visit [Move to Actions](http://auth0.com/extensibility/movetoactions) today to start using Auth0's flagship extensibility product, Actions.  https://auth0.com/changelog#5rzvPzPiQyycQSzWxLISDj Tue, 15 Nov 2022 00:00:00 GMT SMS as an MFA option for loging into Auth0 Dashboard is now only available for users on a paid subscription. __What happens with free tenants with SMS as an MFA option enabled before the change?__ Already enrolled users will continue to receive SMS-generated OTP. However, SMS as an MFA will no longer be presented on a free tenant if the dashboard user disables it. The tenant will need to be added to a paid subscription to continue using the feature after disabling it.  https://auth0.com/changelog#EkZIprTrs1yOPqeOqfQlZ Wed, 09 Nov 2022 00:00:00 GMT Auth0 is excited to announce the launch of a new public cloud environment in the United Kingdom (UK) as a Beta. This new environment joins previously available environments in the United States, Australia, Japan, and the European Union, as we continue to support our customer's needs to offer low-latency login experiences while complying with data locality regulations. Auth0 customers can specify their preferred location by simply choosing the United Kingdom region during the tenant creation process. The new Auth0 tenant created will have the `[tenant].uk.auth0.com` domain name and will adhere to amended terms of service and SLA during the Beta period.  https://auth0.com/changelog#5w7n7goEjW3j6s4RnewxMU Wed, 09 Nov 2022 00:00:00 GMT Beginning May 9th, 2023, the [Get Role Users Management API endpoint](https://auth0.com/docs/api/management/v2#!/Roles/get_role_user) will only return greater than 1,000 total results if the checkpoint pagination method is used. This pagination method is optimized to support large quantities of results. The offset pagination method will be capped at 1,000 results. See the [Get Role Users Management API Documentation](https://auth0.com/docs/api/management/v2#!/Roles/get_role_user) for implementation details on the two pagination methods. https://auth0.com/changelog#gOayNIj6dWjjyfO28MLb5 Thu, 03 Nov 2022 00:00:00 GMT In order to support our customer’s growing SaaS businesses, we are excited to announce support for Organizations context in custom database scripts. This will make it easier to migrate users from your existing B2B applications to Auth0. Customers can now enable the additional custom database parameter __Context object in database scripts__.  Once enabled, the custom database action script will be passed an extra parameter, `context`, that contains information about the Organization that an end-user is interacting with.  To learn more about custom database support for Organizations, read [here](https://auth0.com/docs/authenticate/database-connections/custom-db/create-db-connection#create-database-action-scripts). https://auth0.com/changelog#2O39FMeE2YuQzh5pdiE6yK Mon, 31 Oct 2022 00:00:00 GMT Starting October 31, we are rolling out a new Okta Workforce Enterprise Connection. The Okta Workforce Enterprise Connection makes it easy for business customers to offer your product to their employees through their Okta dashboard, with seamless integration to Okta Workforce Identity Cloud. This enterprise connection is now free for all Okta B2B and Enterprise customers, and easier to discover and configure in Auth0. To learn more, visit [Connect Your Auth0 Application with Okta Workforce Enterprise Connection](https://auth0.com/docs/authenticate/identity-providers/enterprise-identity-providers/okta "Connect Your Auth0 Application with Okta Workforce Enterprise Connection") https://auth0.com/changelog#2aHrDdPgVCtFhgsvsz7gVI Sat, 22 Oct 2022 00:00:00 GMT We’ve reduced session timeout due to inactivity – for administrator sessions on manage.auth0.com – to 12 hours. This is another routine step in our continuous improvements in the security of our services. For many of our customer’s administrators, there will be no noticeable effect. For those administrators working in manage.auth0.com day to day, additional or more frequent challenges to log in — if you’ve been inactive for 12+ hours — will be the only effect. This change does not affect any sessions configured for your users and your applications as integrated with Auth0 identity services. The only changes are for administrator sessions on manage.auth0.com. https://auth0.com/changelog#7Fr56BLkhQrcHtAuJvg20J Fri, 14 Oct 2022 00:00:00 GMT We have expanded the list of [log event types](https://auth0.com/docs/deploy-monitor/logs/log-event-type-codes) visible for `Viewer-Users` and `Editor-Users` management dashboard roles to now also include the following: ``` fce, fcoa, fcpn, dcu, feccft, feoobft, feotpft, fepft, fepotpft, fercft,fi, fs, fui, sce, scpn, scu, sdu, seacft, sede, sens,seoobft, seotpft, sepft, si, sv, svr ``` A complete list of `Viewer-Users` and `Editor-Users` log event type codes can be found [here](https://auth0.com/docs/get-started/manage-dashboard-access/feature-access-by-role#log-events-available-to-user-roles-). https://auth0.com/changelog#YKt6jJumBQEa40qMygX1t Mon, 10 Oct 2022 00:00:00 GMT ##### The Bot Detection Allowlist is now available! In the bot detection dashboard we have now added an allowlist. This can be used to add a list of trusted IPs and/or CIDRs in order to by pass Bot Protection. You can read more about bot detection and the addition of the allowlist [here](https://auth0.com/docs/secure/attack-protection/bot-detection#let-trusted-ip-addresses-bypass-bot-detection "Bot Detection Documentation") https://auth0.com/changelog#KgAGtmyRpjq1i5qbgzfey Wed, 28 Sep 2022 00:00:00 GMT The Support Access Role within the Dashboard has been updated to allow for any user with Support Access granted to view and comment on Support tickets in the "Subscription Tickets" section of Support Center. Previously, users with Support Access only had access to "My Tickets" in Support Center. With this change, the Support Access Role allows for users to now see and update "Subscription Tickets" as well. For more information on feature access by role, see: [Dashboard Access by Role Documentation here](https://auth0.com/docs/get-started/manage-dashboard-access/feature-access-by-role). https://auth0.com/changelog#ANtDQ5HlXvmC2jhm63jd4 Thu, 22 Sep 2022 00:00:00 GMT Auth0 Teams initially allowed viewing only tenant administrators for the selected tenant from the Teams Dashboard. You can now view all members, including non-administrator roles, using Teams. [Follow the link to learn more.](https://auth0.com/docs/get-started/tenant-settings/auth0-teams "Single point of visibility.") https://auth0.com/changelog#65ZAZ374rdWzPhYfeHOsl9 Wed, 21 Sep 2022 00:00:00 GMT #### __Now announcing the ability to block breached credentials on sign-up with Breach Password Detection!__ With the previous version of Breached Password Detection, we have the ability to block log-ins when a set of known breached credentials are used for a user's account. We have now added the ability to enable the same functionality with the signup process. Within the Breach Password Detection dashboard, there is now a toggle to turn on Breached Password Detection for account creation. Once on, the user, upon trying to create an account with a set of known breached credentials, will receive a prompt informing them that a combination of credentials was detected in a public breach and to use a different password. To learn more about Breached Password Detection, read [here](https://auth0.com/docs/secure/attack-protection/breached-password-detection "Breached Password Detection Documentation") https://auth0.com/changelog#5wlkOCmXYBZmdlUpmYIGVl Mon, 19 Sep 2022 00:00:00 GMT Developers can now configure their custom Guardian SDK based applications to have push notifications sent directly to the device platform providers, iOS and Android. Within the Auth0 dashboard, developers can configure each device platform by providing the key or certificate for FCM and APNs. AWS SNS remains fully supported as this feature is intended to provide more flexibility to best fit your needs. Documentation available here for [FCM](https://auth0.com/docs/secure/multi-factor-authentication/multi-factor-authentication-factors/configure-push-notifications-for-mfa#configure-push-notifications-for-android-using-fcm) and [APNs](https://auth0.com/docs/secure/multi-factor-authentication/multi-factor-authentication-factors/configure-push-notifications-for-mfa#configure-push-notifications-for-apple-using-apn-). https://auth0.com/changelog#1CwJ3Ynqk6vLNVNnttqo2l Wed, 14 Sep 2022 00:00:00 GMT We are excited to bring a new version (v3) of Post-login Trigger in Actions to our customers. This backwards-compatible version update effectively enhances the security safeguard and brings new features to Actions. You can read the summary below and find out more information in our release [docs](https://auth0.com/docs/customize/actions/flows-and-triggers/login-flow/releases). ### Breaking Changes __*api.redirect.canRedirect()*__ marked as deprecated. __*api.redirect.sendUserTo()*__ will no longer skip redirecting when in a non-interactive flow. This means that calls to api.redirect.sendUserTo() should first check if the redirect is needed before issuing the redirect. ### New Features __*event.authentication.methods()*__ may now also contain custom methods completed by users within that session and recorded using api.authentication.recordMethod() from the onContinuePostLogin handler. __*api.authentication.recordMethod()*__ is added as a way to store a record for the completion of a custom method in the user’s session. These APIs allow you to strictly require custom factors for certain scenarios. To learn more about v1 and v2 updates, follow [Actions releases notes](https://auth0.com/docs/customize/actions/releases). https://auth0.com/changelog#3MoE84lVFILO2jzAPmotX3 Fri, 09 Sep 2022 00:00:00 GMT All of the alerts and notifications that are currently published in the [Auth0 Support Center](https://support.auth0.com/) are now also available to read inside the [Manage](https://manage.auth0.com/) dashboard. With this change, the options under the bell icon on the right side of the Manage banner no longer redirect to the Auth0 Support Center, but rather allow you to check your notifications without leaving the dashboard. https://auth0.com/changelog#joGTkS6YW0DoI59trHMiJ Mon, 29 Aug 2022 00:00:00 GMT Announcing the [general availability](https://auth0.com/docs/troubleshoot/product-lifecycle/product-release-stages#general-availability) release of auth0-flutter, our brand new SDK for adding authentication to Flutter applications. With auth0-flutter, developers now have native Auth0 support to implement web auth login and logout, automatic storage and renewal of user credentials, custom credentials manager, and key Authentication API methods. To learn more and get started building with Flutter and Auth0, checkout our recent [blog post](https://auth0.com/blog/introducing-the-auth0-flutter-sdk/), [Quickstart](https://auth0.com/docs/quickstart/native/flutter/interactive), SDK on [GitHub](https://github.com/auth0/auth0-flutter). https://auth0.com/changelog#5c12pmIHZw4DtAj1kiM4vb Mon, 15 Aug 2022 00:00:00 GMT Auth0 has released native integrations for Mixpanel and Twilio Segment via our [Log Streaming feature](https://auth0.com/docs/customize/log-streams). https://auth0.com/changelog#66pB4SVZ8HGZoxDL8sIePi Fri, 12 Aug 2022 00:00:00 GMT Auth0 is excited to announce a newly expanded offering for our new [private cloud platform](https://auth0.com/blog/a-technical-primer-of-auth0-s-new-private-cloud-platform/) customers - Actions Integrations are now available from the Auth0 Marketplace. What that means is all Auth0 customers that utilize our new private cloud platform have access to all the offerings on the Auth0 Marketplace - SSO, Social Connections, Log Streaming Integrations and now, Actions Integrations. Actions Integrations will start to appear in the Development/Staging space now and will be ready in the Production environment in the coming weeks dependent on various release cadences. Make sure to visit the [Auth0 Marketplace](https://marketplace.auth0.com/) to see if there is an integration that optimizes your customer’s identity experience. To find out more about becoming a [Private Cloud](https://auth0.com/docs/deploy-monitor/deploy-private-cloud) customer, please [send an inquiry](https://auth0.com/get-started?place=documentation%20post&type=link&text=contact%20auth0%20sales) and someone from Auth0 will contact you about whether it’s a good fit for your business. Read more about the changes and improvements [here](https://auth0.com/blog/actions-integrations-now-available-in-private-cloud/). https://auth0.com/changelog#6bxBzXiltwj6YjhkhQLo8M Thu, 11 Aug 2022 00:00:00 GMT Auth0 Teams provides a single point of visibility and control over your enterprise tenants. Teams [First Availability](https://auth0.com/docs/troubleshoot/product-lifecycle/product-release-stages) is opened to customers with Enterprise tenants in Auth0's Public Cloud. The following features are available as part of Auth0 teams: - Visibility into tenants and tenant administrators. - Visibility and control of Team members. - Ability to restrict tenant creation. Please refer to [Auth0 Teams Documentation](https://auth0.com/docs/get-started/tenant-settings/auth0-teams) for more information. Contact your Technical Account Manager or Auth0 Support to enable Auth0 Teams and begin the journey of centralized visibility and control with us. More exciting new features are coming to Auth0 Teams, and we can't wait to share them with you. Please continue to look for Auth0 Teams product announcements in the future. https://auth0.com/changelog#3mjEgs4sOUw0CJQLNp5miV Thu, 28 Jul 2022 00:00:00 GMT Auth0 already supported adding custom claims to tokens via extensibility (Hooks / Rules / Actions), however, until today it **restricted the usage of custom claims to public namespaced custom claims**. This caused limitations for some onboarding scenarios and for implementing some standards that require private non-namespaced custom claims (such as FHIR for health care). Today, these barriers are gone! **Customers can add non-namespaced custom claims to Access and ID Tokens in OIDC flows**. ``` // an Auth0 action exports.onExecutePostLogin = async (event, api) => { // this was restricted, this is now allowed ! api.accessToken.setCustomClaim('favourite_color', 'blue'); api.idToken.setCustomClaim('favourite_star_wars_droid', 'n2c2'); } ``` - **Non-namespaced custom claims set on ID Tokens will be returned in the `/userinfo` endpoint**. - **New restrictions apply**: - Token size is capped to 100KB in all OIDC flows. - A list of claims (standard and auth0 internal) will be restricted and customers won’t be able overwrite them. - Creation of non-namespaced custom claims on tokens with Auth0 audiences are restricted to avoid collision with Auth0 internal services. To learn more, read [JSON Web Token Claims](https://auth0.com/docs/secure/tokens/json-web-tokens/json-web-token-claims) and [Create Custom Claims](https://auth0.com/docs/secure/tokens/json-web-tokens/create-custom-claims) in the Auth0 Docs. If you were already using a previous, non-generally available mechanism to set non-namespaced custom claims, please read our [Migration Guide](https://auth0.com/docs/troubleshoot/product-lifecycle/deprecations-and-migrations/custom-claims-migration). https://auth0.com/changelog#0ZPVo3bYdwehxqIXz0pZ8 Wed, 27 Jul 2022 00:00:00 GMT Announcing the release of a new Dashboard [role called Support Access](https://auth0.com/docs/get-started/manage-dashboard-access/feature-access-by-role). This role provides users access to Auth0 Support Center and a limited view of aggregated dashboard metrics (Activity Page). Specifically, the Support Access role has access to: - Metrics-Only Activity Stats in the Auth0 Dashboard - Create and manage support tickets in Auth0 Support Center - Usage Reports in Auth0 Support Center - Compliance docs in Auth0 Support Center https://auth0.com/changelog#1GzYZnb8IGRM9jvd8X5SKJ Wed, 27 Jul 2022 00:00:00 GMT Starting today, July 27th 2022, you can no longer invite users directly to Auth0 Support Center. Access to Support Center can be added via roles available within [Auth0 Dashboard](https://auth0.com/docs/get-started/manage-dashboard-access/feature-access-by-role). Existing [Support Center users](https://auth0.com/docs/get-started/manage-dashboard-access/support-center-users) can still login to Support Center until Oct 3 2022. https://auth0.com/changelog#2LvoTI3FwmPYVToW997QPH Tue, 26 Jul 2022 00:00:00 GMT Announcing the [first availability](https://auth0.com/docs/troubleshoot/product-lifecycle/product-release-stages#first-availability "first availability") release of auth0-flutter, our brand new SDK for adding authentication to Flutter applications. With auth0-flutter, developers now have native Auth0 support to implement web auth login and logout, automatic storage and renewal of user credentials, custom credentials manager, and key Authentication API methods. To learn more and get started building with Flutter and Auth0, checkout the [Quickstart](https://auth0.com/docs/quickstart/native/flutter) and SDK on [GitHub](https://github.com/auth0/auth0-flutter/tree/first-availability/auth0_flutter). https://auth0.com/changelog#2iBKVDB9rUYEAGxevaVQ1s Thu, 21 Jul 2022 00:00:00 GMT Announcing the [general availability](https://auth0.com/docs/troubleshoot/product-lifecycle/product-release-stages#general-availability "General Availability Product Lifecycle") release of SimpleKeychain v1 and JWTDecode.swift v3, our utility libraries for storing user credentials in iCloud Keychain and decoding JWTs in iOS, macOS, tvOS, and watchOS apps. Both releases aim to modernize the libraries, dropping support for Objective-C, older versions of Swift, and outdated platform versions. To get started building with SimpleKeychain and JWTDecode.swift, you can view the latest release notes and migration guides on GitHub. - [SimpleKeychain](https://github.com/auth0/SimpleKeychain/releases/tag/1.0.0) - [JWTDecode.swift](https://github.com/auth0/JWTDecode.swift/releases/tag/3.0.0) Looking to extend this functionality and easily integrate Auth0 into iOS and Mac apps? Check out our [Auth0.swift](https://github.com/auth0/Auth0.swift "Auth0.swift SDK") SDK which supports SimpleKeychain, JWTDecode, and more. https://auth0.com/changelog#3EY4G2GnIKqvpwnRoJAO9I Tue, 19 Jul 2022 00:00:00 GMT Starting Jul 25, 2022 we are rolling out Node 16 to support Auth0 Rules and Hooks, and we recommend our developer customers [update the tenant global setting](https://auth0.com/docs/troubleshoot/product-lifecycle/deprecations-and-migrations/migrate-to-nodejs-16) to Node.js 16, or [migrate Legacy Rules/Hooks](https://auth0.com/docs/customize/actions/migrate/migrate-from-rules-to-actions) to Actions. Node.js 12 [is no longer supported](https://nodejs.org/en/about/releases/) and has exited Long Term Support (LTS), but it will remain available for Rules and Hooks for the time being. We encourage you to migrate your Rules and Hooks to Node.js 16 at a minimum. Ultimately we strongly encourage our developer community to migrate your Rules & Hooks to Auth0 Actions for [a greatly improved developer experience](https://auth0.com/blog/introducing-auth0-actions/). We plan to support every current and long-term supported Node version in the future through Actions exclusively. To take advantage of Node 16 for Rules and Hooks, simply select Node 16 for your tenants' Extensibility, Runtime setting (under Advanced Settings in the tenant dashboard). Your existing Rules and Hooks will then default to Node 16, so we recommend testing in a non-production tenant first. If you need to revert your Rules and Hooks to a previous version, you can revert back to Node 12 as well. We'll release more information about the Node 16 upgrade in our Docs shortly, and will update this Changelog when done. For customers using our flagship extensibility product Auth0 Actions, there will be no changes. Our long-term strategy is to unify all extensibility under Actions. We also encourage you to explore Actions Integrations - a modern approach to extensibility without Node version disruption. All Actions Integrations will run on Node 16 at launch, and will be maintained by Auth0 and our Marketplace Partners. We want to hear from you. Please share any feedback on your experience with our extensibility tools and Actions in [our Developer Community](https://community.auth0.com/c/actions/91). https://auth0.com/changelog#5cMwTi7ZIU42ebgT8w28a3 Wed, 29 Jun 2022 00:00:00 GMT Starting June 30, 2022 applications using __Sign in With Apple (SIWA)__ for account creation must also let users initiate deletion of their account from within the app. Apple offers the following guidance at [https://developer.apple.com/support/offering-account-deletion-in-your-app](https://developer.apple.com/support/offering-account-deletion-in-your-app) : * Make the account deletion option easy to find in your app. Typically, it’s included in the app’s account settings. * Offer to delete the entire account record, along with associated personal data. You may include additional options, but only offering to temporarily deactivate or disable an account is insufficient. * If people need to visit a website to finish deleting their account, include a link directly to the page on your website where they can complete the process. * Keep users informed. If the deletion request will take additional time to complete, let them know. If your app supports in-app purchases, help people understand how billing and cancellations will be handled. For Auth0 customers this can be done by a call to the Management API v2 endpoint __DELETE/users/%user_id% __ In addition, Apple now requires token revocation for the deleted user to remove the authorization from the list of applications on the user Apple account. In order to provide a complete solution, we have made an update to our SIWA integration. Auth0 will store and then revoke the Apple token on a user that has been created via SIWA on behalf of our customers. So no further action is necessary beyond user deletion to satisfy the new Apple requirement. https://auth0.com/changelog#PjB6nLl6zb1wjCEhG5zu4 Fri, 03 Jun 2022 00:00:00 GMT In order to support our customers' growing SaaS businesses, we have introduced some scalability improvements for Auth0 Organizations. Customers can now Search for Organizations in the Manage Dashboard, and those on our Enterprise subscription plan can request increased entity limits for Organizations and Organization Members. Both can now be raised up to 2M (2,000,000) on a per-tenant basis.  To request an entity limit increase, please connect with your technical account manager or create a support ticket in your Enterprise subscription which includes the following: - Description of your use-case and the reason for needing an increase - Which limit needs the increase (number of Organizations, or number of Organization members per-organization) - The name and region of the Auth0 tenants that need the increase applied https://auth0.com/changelog#3GNWzif1wgxxRd6CWmzH75 Wed, 01 Jun 2022 00:00:00 GMT The New Universal Login No-Code Customization Editor allows you to quickly design and configure your login experience with no coding or technical skills required. This can help to get your own customized, branded login experience running in just minutes. You can easily apply your own logo, change colors, apply fonts, customize borders, and change backgrounds for a look and feel that’s all your own. See your changes in real time using the large preview window. The preview allows you to zoom in on certain sections and move around your page for detailed inspection. You can interact with your new design with our “Try” feature. And you can save and publish your changes to your application in a single click. To learn more about the New Universal Login No-Code Customization Editor see the [No-Code Editor Documentation](https://auth0.com/docs/customize/universal-login-pages/customize-new-universal-login-with-the-no-code-editor) https://auth0.com/changelog#6invvrzCcIJSaFfislHyMW Tue, 31 May 2022 00:00:00 GMT Auth0 Bot Detection in public cloud is now upgraded with a new machine learning engine to help reduce bot attacks by 79%, with minimal impact on user experience. Part of the Auth0 Attack Protection add-on, Bot Detection now pairs machine learning with one of the world’s largest consumer identity platforms to screen more bots in nearly 90% of attacks compared to the previous iteration. The impact on user experience remains unchanged, as even during attacks, fewer than 1% of challenges are shown to humans. Better security shouldn’t mean more friction. To learn more about bot detection, see the [Auth0 Bot Detection documentation](https://auth0.com/docs/secure/attack-protection/bot-detection). https://auth0.com/changelog#QQxnUi1v9hAKQgDHLBenq Wed, 11 May 2022 00:00:00 GMT On Apr 3, 2022 Auth0 limited the ability to search nested fields in the details key of the /api/v2/logs endpoint. Only the most commonly used fields within the details key are searchable through the endpoint and throughout the Auth0 dashboard. All the data in the details key will still be returned to customers by the Management API and Log Streaming. https://auth0.com/changelog#7eReKl6cIecsBzNvhOc8u2 Thu, 05 May 2022 00:00:00 GMT The device credentials management API ([Auth0 Management API v2](https://auth0.com/docs/api/management/v2#!/Device_Credentials/get_device_credentials)) was returning an undocumented field `last_used`. This field has now been removed from the API response. https://auth0.com/changelog#1uSq2TFMlabQdziQ5Bq0Eh Wed, 04 May 2022 00:00:00 GMT Beginning May 4th, 2022, the capability to install certain log extensions will no longer be supported. In order to achieve consistency across all Auth0 offerings and to focus on enhancing the Auth0 Log Streaming feature, we are discontinuing the support of the following Log Extensions (Installed) as of November 2, 2022. The relevant Log Extensions are: - Auth0 Authentication API Webhooks - Auth0 Management API Webhooks - Logs to Cloudwatch - Logs to Logentries - Logs to Loggly - Logs to Logstash - Logs to Papertrail - Logs to Splunk - Logs to Sumo Logic - Logs to Logentries To learn more about migration to Auth0 Log Streams, read this [migration guide](https://auth0.com/docs/troubleshoot/product-lifecycle/deprecations-and-migrations/migrate-from-log-extensions). https://auth0.com/changelog#6EsFX1mPOP9fPVnrzR6YLb Thu, 21 Apr 2022 00:00:00 GMT We recently released a few updates to the Organizations feature: 1. Organization names can now be modified after creation. They still must be unique in the Auth0 tenant. 2. Organization parameters now show up when [debugging email templates](https://auth0.com/docs/customize/email/email-templates#debug-liquid-template-variables). 3. Enabled connections can now be included when creating an Organization via the [POST Organization endpoint](https://auth0.com/docs/api/management/v2#!/Organizations/post_organizations). 4. Fixed an issue where duplicates could be returned from the [GET Organization Members endpoint](https://auth0.com/docs/api/management/v2#!/Organizations/get_members). https://auth0.com/changelog#6BBzbWOwkhEZdzauu2s0Bg Wed, 13 Apr 2022 00:00:00 GMT The Bulk User Export will now escape string data types in the CSV export file. This is in conformance with OWASP standards for CSV injection mitigation. To ensure the content is read as text: - Double quote characters are prepended with a double quote character. - Each string is prepended with a single quote character. - Each string is wrapped in double quotes. This does not apply to dates in ISO 8601 format. Check out our [technical documentation](https://auth0.com/docs/users/import-and-export-users/bulk-user-exports#find-export-data "Link to Bulk Export Documentation") to learn more about bulk user exports. https://auth0.com/changelog#25CSs4pq46tpAL3oLZ0HJR Tue, 05 Apr 2022 00:00:00 GMT Announcing an improvement to Auth0’s security and performance with refresh token limits. We are limiting the amount of refresh tokens to 200 active tokens per user per application. Our service will periodically scan for client applications that keep an excess of active user refresh tokens and remove the excess on an older-first basis. Limiting the amount of refresh tokens helps prevent accidental creation and accumulation of unnecessary or forgotten tokens while also preventing performance side-effects and signaling anomalous authentication flows via [Refresh token excess warning](https://auth0.com/docs/deploy-monitor/logs/log-event-type-codes) in [tenant logs](https://auth0.com/docs/deploy-monitor/logs/view-log-events). You can read more on our [Refresh Token](https://auth0.com/docs/secure/tokens/refresh-tokens) page and follow-up with our [Token Best Practices](https://auth0.com/docs/secure/tokens/token-best-practices). https://auth0.com/changelog#2Rt4k094u233k2cpLaPNnu Tue, 22 Mar 2022 00:00:00 GMT Announcing the [general availability](https://auth0.com/docs/troubleshoot/product-lifecycle/product-release-stages#general-availability) release of [laravel-auth0](https://github.com/auth0/laravel-auth0) v7, our SDK for integrating Auth0 in Laravel applications. The v7 release of laravel-auth0 is a huge overhaul from v6 adding a wealth of developer experience improvements. Updates include support for Laravel 9, new plug and play controllers making it even easier to add authentication to Laravel apps, full integration with the recently updated Auth0-PHP v8 SDK, and more. To get started building with Laravel and Auth0, check out the latest release on [GitHub](https://github.com/auth0/laravel-auth0) or the [migration guide](https://github.com/auth0/laravel-auth0/blob/main/UPGRADE.md) if you are upgrading from previous versions. https://auth0.com/changelog#7dLWN7NMdiz6PG1z8rLMjz Thu, 17 Mar 2022 00:00:00 GMT The Viewer - Users and Editor - Users roles has now read access to the Organizations list and Organization Members in the Dashboard. Editor - Users can see Organization Invitations in addition. With this improvement, the Viewer - Users and Editor - Users Dashboard roles have a complete user visualization experience when the Organizations feature is being used. Read more about Dashboard roles in our [docs](https://auth0.com/docs/get-started/manage-dashboard-access/feature-access-by-role). https://auth0.com/changelog#2TOkVvGVzuClhnS4AahD13 Tue, 15 Mar 2022 00:00:00 GMT Announcing the [general availability](https://auth0.com/docs/troubleshoot/product-lifecycle/product-release-stages#general-availability) release of [auth0-vue](https://github.com/auth0/auth0-vue) v1, our brand new SDK for adding authentication to Vue applications. With auth0-vue, developers can integrate Auth0 into Vue 3 apps faster and easier than ever before. The new SDK is built on top of our [SDK for Single Page Applications](https://github.com/auth0/auth0-spa-js) providing all the same functionality wrapped in a native experience for Vue developers. To get started building with Vue and Auth0, check out the [Quickstart](https://auth0.com/docs/quickstart/spa/vuejs) and SDK on [GitHub](https://github.com/auth0/auth0-vue). https://auth0.com/changelog#2Hfl0c7pK6bTWKwYIy9px4 Mon, 14 Mar 2022 00:00:00 GMT Announcing the [general availability](https://auth0.com/docs/troubleshoot/product-lifecycle/product-release-stages#general-availability "general availability") release of [Auth0.swift](https://github.com/auth0/Auth0.swift "Auth0.swift v2") v2. Our Swift SDK lets you communicate efficiently with many Auth0 API endpoints and seamlessly integrates the Auth0 login. With this new major release, we’ve added support for async/await and Combine, more customization points like custom headers and custom credentials storage as well as removing the complexity of dealing with concurrent refresh grants with our thread-safe token renewals. We’ve also greatly improved the docs, the secure by default configuration, and error handling. To get started experimenting with the latest release, check out our updated [migration guide](https://github.com/auth0/Auth0.swift/blob/beta/V2_MIGRATION_GUIDE.md). https://auth0.com/changelog#5ZQfnWwfdPG23C1dTIPE2N Wed, 09 Mar 2022 00:00:00 GMT The Auth0 Terraform provider has been updated in the HashiCorp Terraform Registry and is now Verified by HashiCorp, and supported by Auth0 🎉 You can find the [Auth0 provider](https://registry.terraform.io/providers/auth0/auth0/latest "Auth0 Terraform provider, latest version overview") and [read the Docs](https://registry.terraform.io/providers/auth0/auth0/latest/docs "Auth0 Terraform provider, latest version docs") in the Terraform Registry directly. You can find the source code for the [Auth0 Terraform provider in GitHub](https://github.com/auth0/terraform-provider-auth0 "Public GitHub repo for Auth0 Terraform provider").  https://auth0.com/changelog#BbVlKEFZtZJhMFezaJa0F Wed, 23 Feb 2022 00:00:00 GMT Auth0 customers can now use the Auth0 Management API and SDKs to configure these attack protection features: * Breached password detection * Brute force protection * Suspicious IP throttling To learn about Management APIs, see the [Auth0 Management API explorer](https://auth0.com/docs/api/management/v2#!/Attack_Protection/get_breached_password_detection). To learn more about SDKs, see the [Auth0 SDK Libraries documentation](https://auth0.com/docs/libraries#mgmt). https://auth0.com/changelog#45sQCb7UFO4TPOu5v8ATLz Tue, 08 Feb 2022 00:00:00 GMT We have updated [Status Page](https://status.auth0.com/) to allow users to also subscribe to a RSS feed for status notifications related to their tenant.  https://auth0.com/changelog#yIxPEYVyNZ6Taphreez08 Mon, 07 Feb 2022 00:00:00 GMT Auth0 has released Credential Guard, a new security feature that protects your users and your enterprise from password theft. Credential Guard augments Auth0’s automated breached password detection feature, mitigating worldwide data breaches sooner, often before they’re made public. The new Enterprise add-on reduces the risk of data breaches to your application by up to 80%. Breached password detection relies on public announcements of large-scale data breaches. If your user’s credentials (based on their email address) have been exposed in a public data breach, Auth0 can automatically alert your users, challenge them with an additional authentication factor, or block access until they reset their password. With the Credential Guard add-on, a dedicated team of security professionals infiltrates criminal communities and gains access to exposed data as soon as breaches occur, often many months before any public announcement. With this advantage, you can better protect your users and secure your applications by resetting stolen passwords sooner. Credential Guard protects your enterprise from data breaches across more than 35 languages and 200 countries and territories. It helps you eliminate the costs associated with account takeovers, while also protecting your users' accounts. Credential Guard: * Exposes more than ten times the data breaches * Reveals breached credentials more quickly * Increases global coverage by adding data feeds for passwords in non-Roman characters Enterprise plan customers can add Credential Guard to their Auth0 agreement and then enable it from the [Auth0 Dashboard](https://manage.auth0.com/#/security/attack-protection/breached-password) If you have the Attack Protection add-on, you already have access to this feature. You can enable Credential Guard from the [Auth0 Dashboard](https://manage.auth0.com/#/security/attack-protection/breached-password): locate **Breached Password Detection method**, select **As soon as possible, with Credential Guard, and** select **Save**. To learn more, read [Breached Password Detection](https://auth0.com/docs/secure/attack-protection/breached-password-detection) in the Auth0 Docs. https://auth0.com/changelog#6BUDmwdDG205rYvsxHfMvf Wed, 02 Feb 2022 00:00:00 GMT We have again updated the [Auth0 Docs](https://auth0.com/docs "Auth0 Docs") experience 🤓 - we improved the article navigation by categorizing articles into job-focused topics, and - we've added a Table of Contents to complex or longer articles on the right side of the article view   https://auth0.com/changelog#5VjDRDd4KmxZUqordJV5O4 Mon, 24 Jan 2022 00:00:00 GMT Announcing the [general availability](https://auth0.com/docs/troubleshoot/product-lifecycle/product-release-stages#general-availability) release of [go-jwt-middleware](https://github.com/auth0/go-jwt-middleware) V2, our SDK for checking and validating JWTs in Go applications. The V2 release of our go-jwt-middleware is a giant leap forward from our V1 implementation. Updates include simplifying the JWT library interface, support for JWKS, and much more. Please note, this update contains breaking changes. To get started experimenting with the latest release, check out our updated [migration guide](https://github.com/auth0/go-jwt-middleware/blob/v2.0.0-beta/MIGRATION_GUIDE.md). https://auth0.com/changelog#tua9exNm5Nkw6nUNL5ogu Mon, 13 Dec 2021 00:00:00 GMT Auth0 has implemented a cache of additional entities stored in our databases which see low change rates but high number of requests. This cache will apply to endpoints of the Authentication API and will not impact the Management API. The following will be cached and updated every thirty (30) seconds: - General and advanced tenant configuration - UL Configuration including branding Though the behavior changes will be minimal, a follow-on effort will be made to reduce the impacts caching may have on the tenant administration experience. https://auth0.com/changelog#3QXBzKOb11U3sn2GzoGr0u Wed, 17 Nov 2021 00:00:00 GMT We’re excited to announce general availability of Auth0 Identity Platform as a private cloud deployment option on Microsoft Azure. This unlocks a secure cloud deployment option for organizations seeking a strategic fit with their technology stack, support for regional data residency capabilities and higher control over customer's data. You can learn more about deploying Auth0 Identity Platform on Azure in our [documentation](https://auth0.com/docs/deploy/private-cloud-on-azure). https://auth0.com/changelog#4y7zELP92RSvZ2IWkhQC57 Mon, 08 Nov 2021 00:00:00 GMT Announcing the [general availability](https://auth0.com/docs/product-lifecycle/product-release-stages#first-availability) release of express-oauth2-jwt-bearer, our new SDK for Express API’s. express-oauth2-jwt-bearer greatly simplifies the process of protecting your Express APIs with Bearer Token JWTs using a combination of the well established [OAuth2 Bearer Token Usage](https://datatracker.ietf.org/doc/html/rfc6750) spec and the recently published specification of [JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens](https://datatracker.ietf.org/doc/html/rfc9068). To learn more about the Auth0 express-oauth2-jwt-bearer SDK and try it yourself, check out our [Quickstar](https://auth0.com/docs/quickstart/backend/nodejs)t, and repo on [GitHub](https://github.com/auth0/node-oauth2-jwt-bearer/tree/main/packages/express-oauth2-jwt-bearer). https://auth0.com/changelog#2qR5fO6H0Aac4IiMqj3Jve Wed, 03 Nov 2021 00:00:00 GMT We have updated the [Auth0 Docs](https://www.auth0.com/docs "Auth0 Docs") experience to reflect the new [Auth0 brand](https://auth0.design/ "Auth0 Design").  https://auth0.com/changelog#60kp5QdqZ4DByeY0p8Ygno Tue, 02 Nov 2021 00:00:00 GMT Auth0 has implemented a cache of entities stored in our databases which see low change rates but high number of requests. This cache will apply to specific endpoints of the Authentication API and will not impact the Management API. The following will be cached and updated every thirty (30) seconds: - Connections - Applications Though the behavior changes will be minimal, a follow-on effort will be made to reduce the impacts caching may have on the tenant administration experience. https://auth0.com/changelog#1OgnYdl2SShJYaftwC8ky5 Fri, 22 Oct 2021 00:00:00 GMT Announcing the [general availability](https://auth0.com/docs/product-lifecycle/product-release-stages#first-availability "General Availability") release of Auth0.AspNetCore.Authentication, our new SDK for ASP.NET Core applications. Integrating Microsoft's OpenID Connect middleware, we’ve supercharged our .NET developer experience by making it even easier to integrate Auth0 in ASP.NET Core applications like MVC, Razor Pages, and Blazor. To learn more about the Auth0 ASP.NET Core SDK and try it yourself, check out our [blogpost](https://auth0.com/blog/exploring-auth0-aspnet-core-authentication-sdk/ "Auth0 ASP.NET Core SDK Blog"), [Quickstart](https://auth0.com/docs/quickstart/webapp/aspnet-core "Auth0 ASP.NET Core SDK Quickstart"), and repo on [GitHub](https://github.com/auth0/auth0-aspnetcore-authentication "Auth0 ASP.NET Core SDK - GitHub"). https://auth0.com/changelog#2gX7nYfhAOTFeiqgt1tt2R Tue, 05 Oct 2021 00:00:00 GMT We’re excited to announce first availability of Auth0 Identity Platform as a private cloud deployment option on Microsoft Azure. This unlocks a secure cloud deployment option for organizations seeking a strategic fit with their technology stack, support for regional data residency capabilities and higher control over customer's data. During [First Availability](https://auth0.com/docs/product-lifecycle/product-release-stages#first-availability "First Availability"), private cloud deployments on Azure will be available for select customers. You can learn more about deploying Auth0 Identity Platform on Azure in our [documentation](https://auth0.com/docs/deploy/private-cloud-on-azure "Auth0 Private Cloud on Azure"). https://auth0.com/changelog#5aysPPs2uXhefRQv9c2RwG Wed, 29 Sep 2021 00:00:00 GMT Auth0 has released Threshold Manager for Suspicious IP throttling. Auth0 users can now use Threshold Manager to set their preferred thresholds for Suspicious IP throttling. With a self-serve capability, users can now modify the default threshold for Suspicious IP throttling, giving them more flexibility and reducing any delays in implementing security policies. You can enable it in the [Auth0 Dashboard](https://manage.auth0.com/#/security/attack-protection/suspicious-ip-throttling). You can learn more in our [public docs](https://auth0.com/docs/configure/attack-protection/suspicious-ip-throttling) https://auth0.com/changelog#7lw4mv99tpbiuXScyeaRM3 Wed, 29 Sep 2021 00:00:00 GMT Log Stream Flexibility, after a successful beta, is now in general availability (GA). This allows both the ability to start a new log stream from a certain point in time and to filter logs based on specific log type categories. Learn more in our [public docs](https://auth0.com/docs/logs/streams/event-filters) https://auth0.com/changelog#48xUu7iNshIi7nVJrfKfCV Thu, 23 Sep 2021 00:00:00 GMT We added a new audit event (mgmt_api_read). This event will indicate when a client secret is present in the response of a successful management API read request. You can learn more in our [public docs](https://auth0.com/docs/monitor-auth0/logs/log-event-type-codes) https://auth0.com/changelog#6Oj8MlpNyy66dIvqVR3vMg Thu, 23 Sep 2021 00:00:00 GMT Heroku private space users in Tokyo now get a tenant in Auth0's Japan region when adding the Auth0 add-on. Check out [the add-on overview](https://elements.heroku.com/addons/auth0#region-map) to learn more about supported Heroku regions by Auth0. https://auth0.com/changelog#3Y44p9cjFfosYIR3YylcrP Wed, 15 Sep 2021 00:00:00 GMT The Bulk Users Export API upload now uses AWS S3 pre-signed URLs for the one-time downloads. The URL changed from `user-exports.[region].auth0.com` to `[environment]-auth0-export-users-[aws-region].s3.[aws-region].amazonaws.com` Check out our [technical documentation](https://auth0.com/docs/users/import-and-export-users/bulk-user-exports#find-export-data "Link to Bulk Export Documentation") to learn more about bulk user exports. https://auth0.com/changelog#3ccn4pizNvPIpS1Tezl6IZ Wed, 18 Aug 2021 00:00:00 GMT Applications that authenticate users via SAML can now use [Auth0 Organizations](https://auth0.com/docs/organizations) to support their business customers and partners. When [Auth0 is acting as a SAML IdP](https://auth0.com/docs/protocols/saml-protocol#saml-identity-providers), applications can now send users to Auth0 along with an organization ID, and they will be prompted to log-in in the context of that Organization. If no organization is provided, and the application is configured to require one, the user will be prompted to enter the name of the organization they’d like to authenticate with. After logging in, the SAML response will contain the associated Organization ID. Note that Organizations already supports federating users from your business customers’ organizations into your applications via SAML, by creating [SAML Enterprise Connections](https://auth0.com/docs/connections/enterprise/saml) and [enabling them for your organizations](https://auth0.com/docs/organizations/enable-connections). This update allows applications to trigger Organization login flows using SAML Authentication requests. Check out [our technical documentation](https://auth0.com/docs/organizations) to learn more about Organizations features and how they can be used to support SaaS and business-to-business applications. You can learn more about Auth0 support for SAML in [this blog post](https://auth0.com/blog/how-saml-authentication-works/).  https://auth0.com/changelog#2eQlap4J3TZ2vUVVuPklCy Mon, 09 Aug 2021 00:00:00 GMT We added Bosnian, Bulgarian, Croatian, Serbian, Slovenian, Icelandic, Ukrainian, Estonian, Lithuanian and Latvian language options to the New Universal Login flow. https://auth0.com/changelog#5w7DAAJd9hAI6piM46mVDr Wed, 14 Jul 2021 00:00:00 GMT The [Auth0 CLI](https://github.com/auth0/auth0-cli) lets you build, test, troubleshoot and manage your Auth0 tenants directly from the command line. If you are using the New Universal Login experience, you can take advantage of the CLI to easily customize the page templates. When you run: auth0 branding templates update The CLI will open two windows: - A browser window with a Storybook that shows the login page with the page template applied:  - Your default editor, with the page template code:  You can now change the page template code, and you will be able to preview the changes in the browser window. Once you close the window, you’ll be asked if you want to save the template. If you answer Yes, the template will be uploaded to your tenant. https://auth0.com/changelog#2qvS200PF7LMVBgiP32OjA Wed, 14 Jul 2021 00:00:00 GMT In order to achieve consistency across all Auth0 deployments and to focus on enhancing the Auth0 Custom Domain feature, we are discontinuing the Private Cloud Custom Domain capability as of December 20, 2021. This consistency enables us to enhance the feature and fix reliability issues faster, improving operational efficiency and enabling customers to get value out of custom domains quicker. To learn more about migration to Auth0 Custom Domains, read [this migration guide](https://auth0.com/docs/deploy/private-cloud/private-cloud-migrations/migrate-private-cloud-custom-domains). https://auth0.com/changelog#6CiwMVSHe0aWjZQl5mNFay Tue, 06 Jul 2021 00:00:00 GMT Auth0 has released Threshold Manager for Brute-force Protection. Auth0 users can now use Threshold Manager to set their preferred threshold for Brute-force protection. With a self-serve capability, users can now modify the default threshold for Brute-force protection, giving them more flexibility and reducing any delays in implementing security policies. You can enable it in the [Auth0 Dashboard](https://manage.auth0.com/#/security/attack-protection/brute-force). You can learn more in our [public docs](https://auth0.com/docs/attack-protection/brute-force-protection). https://auth0.com/changelog#1MTAk7krZlhgCkNWLoMme7 Tue, 06 Jul 2021 00:00:00 GMT Auth0 has released Adaptive MFA Risk Assessors. Auth0 users can now enable Adaptive MFA Risk Assessors to assess and monitor risk signals for the login transactions without forcing an adaptive MFA flow. Though Adaptive MFA Risk Assessment is required for enabling the Adaptive MFA policy, it can also be used to implement custom MFA policies using Rules without Adaptive MFA in the flow. You can enable it in the [Auth0 Dashboard](https://manage.auth0.com/#/security/mfa). You can learn more in our [public docs](https://auth0.com/docs/mfa/enable-mfa). https://auth0.com/changelog#17N4kAmBQPLlBNrvKZfyKD Mon, 05 Jul 2021 00:00:00 GMT As part of our continuing work to improve compliance of the New Universal Login flow with accessibility standards, we have made a few improvements in the UI. ### Error Messages Error messages were not properly communicated to assistive technology users, resulting in users being unable to identify them. To address this issue, we have enhanced our forms to link the error messages with the field that has the error: In the previous version, we displayed all errors in the form together, below the fields. In order to connect each message to a specific field, we are linking the label to the affected field and updating the visual style:  ### Focus Improvements The focus indicators for Links were also difficult to detect. We updated the style to make it more visible:  Additionally, it was not possible to set the focus on the ‘Show Password' icon by using the keyboard. We have changed that functionality and it is now possible, with an updated focus style:  ### Link Styles Since everyone does not have the same abilities to distinguish between colors, color should not be used as the sole visual means of conveying information. In order to make links more accessible, we have increased the font weight in addition to changing the link text color:  https://auth0.com/changelog#3vj2v0nwvuzybqyHWgePz7 Thu, 24 Jun 2021 00:00:00 GMT The Viewer - Config role has now read acccess to the Organizations list, overview and enabled connections in the Dashboard. Read more about Dashboard roles in our [docs](https://auth0.com/docs/dashboard-access/feature-access-by-role "docs"). https://auth0.com/changelog#12zfx82rLjIpo64mfoguu6 Wed, 23 Jun 2021 00:00:00 GMT Auth0 users can now enable reCAPTCHA Enterprise to block bot and scripted attacks. This has expanded Auth0 CAPTCHA offerings to include Google’s enterprise version for reCAPTCHA which does not have a monthly limit on the number of assessments. You can enable it in the [Auth0 Dashboard](https://manage.auth0.com/#/security/attack-protection/bot-detection) You can learn more in our [public docs](https://auth0.com/docs/attack-protection/bot-detection) https://auth0.com/changelog#1O21odHOtp8kn17Mosewdp Mon, 14 Jun 2021 00:00:00 GMT Auth0 supports continuous integration and deployment (CI/CD) of Auth0 Tenants and integration into existing CI/CD pipelines by using the auth0-deploy-cli tool, which supports the importing and exporting of Auth0 Tenant configuration data. The [auth0-deploy-cli 7.0.0](https://github.com/auth0/auth0-deploy-cli/releases/tag/v7.0.0) update has now been released. Added - MFA Support Recovery Codes - Support for Organizations - Prompt link to Auth0 Docs upon insufficient scope Removed - Node.js 8 - Various unneeded dependencies For migration documentation, see [https://github.com/auth0/auth0-deploy-cli/wiki/Migrating#v5-to-v7](https://github.com/auth0/auth0-deploy-cli/wiki/Migrating#v5-to-v7) For a full list of Auth0 Management API resources now supported by the auth0-deploy-cli tool, and for links to documentation and usage examples, see the project [README.md](https://github.com/auth0/auth0-deploy-cli). https://auth0.com/changelog#4JFgBMu0dzYcJ94o7Zd8jM Mon, 14 Jun 2021 00:00:00 GMT WebAuthn with Security Keys and WebAuthn with Device Biometrics are supported as new multi-factor authentication methods to log in to our management Dashboard, in addition to the existing Guardian, OTP, and SMS factors. WebAuthn combines maximum security with a low-friction user experience. We encourage you to add another layer of protection to your account by enabling them in your [Account Settings page](https://manage.auth0.com/#/profile). You can read more in our [public docs](https://auth0.com/docs/dashboard-access/add-change-remove-mfa). https://auth0.com/changelog#pLK3EZETNYbZwpvMU2z1P Mon, 07 Jun 2021 00:00:00 GMT To allow users continued access to their account in the event that they lose access to their primary multi-factor authentication (MFA) method, Auth0 provides a *Recovery Code* flow that is presented after the user enrolls in MFA. Depending on the application and how tech savvy end-users are, this adds significant friction. It also does not resolve the issue since most users often do not have access to those recovery codes, when they need them most. To simplify MFA adoption for applications, Auth0 now treats Recovery Codes as any other authentication method, which can be enabled or disabled. When disabled, end users will not be asked to enroll a Recovery Code, and will not be able to authenticate with one. Recovery Codes will be enabled for existing tenants that are using MFA but will be disabled, by default, in new tenants. Tenant admins can change this option in the [Multi-factor Authentication configuration screen](https://manage.auth0.com/#/security/mfa). You can learn more about this in [our documentation](https://auth0.com/docs/mfa/configure-recovery-codes-for-mfa). https://auth0.com/changelog#oY3TzltuHkonTVXVnqCsD Wed, 02 Jun 2021 00:00:00 GMT The Dashboard Activity page has been reimagined and now provides tenants with access to data and charts that give them a high-level understanding of their tenant data. Initially, Tenants will be able to track metrics over time such as Active Users, Sign-ups, and Retention in addition to Failed logins. Auth0 will consistently add additional functionality and features to improve the user experience. This feature will be available to all US tenants gradually as part of a First Availability rollout. We plan on rolling the update out to the remaining regions over the coming months. Customers will receive a notification when it becomes available in their particular region. You can learn more in our [public docs](https://auth0.com/docs/get-started/dashboard/activity).  https://auth0.com/changelog#52mmSMAvveZLeCQWEGYEnq Fri, 28 May 2021 00:00:00 GMT Auth0 now supports using WebAuthn with Device Biometrics as the first authentication factor. You can enable it from a new Authentication Profile (https://manage.auth0.com/#/authentication-profiles) page in the Auth0 dashboard. Once enabled, users will be given the option to enroll with WebAuthn after entering their password, if they are logging in from a [WebAuthn-capable device](https://webauthn.me/browser-support). The image below shows the flow for iOS 14+:  The next time they login from that device, they will be asked to use their device biometrics by default:  Users will go through this flow each time they login for the first time in a new device. We call this feature Progressive Enrollment, and it will help many consumers and corporate employees which already possess devices with built-in biometrics for identification, to get a more convenient login experience while improving security at the same time. Learn more about how to configure it [here](https://auth0.com/docs/universal-login/configure-universal-login-with-passwordless/webauthn-device-biometrics). https://auth0.com/changelog#5erRPemTfs6SHFuReJgP5L Thu, 27 May 2021 00:00:00 GMT Important Notice: although it is not a supported Auth0 product, we are publishing guidance about Sharelock End of Life as a public service announcement. [Sharelock.io](http://sharelock.io/) service is being ended and the site will be shut down August 1st, 2021. After this date Sharelock will no longer be available, and you will not be able to retrieve any shared secrets that are stored only in Sharelock. - If you are creating a new shared secret via Sharelock you should plan to move to other alternatives such as [1Password](https://1password.com) and [SendSafely](https://sendsafely.com/) immediately. Creation of Sharelock secrets will no longer be available after June 9th, 2021. - If you’re retrieving a secret shared with you via Sharelock, you should store this secret in another secure location so you do not lose access to it after August 1st, 2021. https://auth0.com/changelog#2K6x8w9GEQC0b7WQAVdNdM Mon, 24 May 2021 00:00:00 GMT We have updated the Auth0 Dashboard experience to reflect the new [Auth0 brand](https://auth0.design/ "Auth0 Design").  https://auth0.com/changelog#7h8Zqe2iWT3wq3tAHsSs16 Tue, 11 May 2021 00:00:00 GMT We've added the option to assign Tenant Environment tags from the context of the Manage Dashboard. Tenant Environment tags allows your team to easily identify development, staging and production tenants. Read the updated documentation [here](https://auth0.com/docs/dev-lifecycle/set-up-multiple-environments "Set Up Multiple Environments"). https://auth0.com/changelog#5dZGxNOmmfSopkDyvK4crB Tue, 11 May 2021 00:00:00 GMT Actions, after a successful beta, is now in general availability (GA). Actions includes functionality from our legacy product Rules and Hooks under a unified developer focused experience. We brought many of the developer focused features in Actions Beta forward to the GA product including: - An easy to use Flow Editor to better visualize your custom logic in our pipeline - Draft Mode - Version Control - Testing before deploying to prod - Improved secret management - Expanded list of supported NPM modules to over 1MM - Unified programming model across all triggers - Improved logging We encourage you to get started with Actions today and provide feedback and questions to us through our [community channel](https://community.auth0.com/c/actions/91). We will continuously build new functionality and extending new elements of the Auth0 pipeline through Actions. We have also updated our [documentation pages](http://www.auth0.com/docs/actions/triggers) to help building and migrating to Actions easy. https://auth0.com/changelog#5W05fVQ7pS46vgyd38KQ3b Tue, 11 May 2021 00:00:00 GMT The Auth0 Community is in the process of deprecating the following Github repos: - [ember-simple-auth-auth0](https://github.com/auth0-community/ember-simple-auth-auth0) - [auth0-socketio-jwt](https://github.com/auth0-community/auth0-socketio-jwt) - [auth0-joomla](https://github.com/auth0-community/auth0-joomla) These repositories will no longer be available on Github after the end-of-life date, __September 30, 2021__. Please make plans to find a suitable replacement or remove these libraries from any active projects before the end-of-life date. Please reply to the [Community announcement](https://community.auth0.com/t/community-repo-deprecations-september-2021-eol/60380) if you have any questions or concerns. https://auth0.com/changelog#5gIg8jrsPaznqfou0CLCkC Tue, 04 May 2021 00:00:00 GMT ### Updated Actions Programming Model We’ve updated the Actions programming model with improvements including consistency between different triggers. This update affects how you write your Actions code going forward. Your existing Actions will continue to execute without any changes. New Actions you create will use the updated version of the programming model. ### New Features to Actions We’ve also made improvements to the public API, allowing you to better discover the data model for triggers and we have improved the logging experience for Action executions. You can reference our [documentation](http://www.auth0.com/docs/actions/triggers) for more details about the changes we’ve made, and find sample code for common use cases. https://auth0.com/changelog#5lFSAdLbE1BSA2faMf72gP Wed, 21 Apr 2021 00:00:00 GMT When you authenticate with Google Workspace, Google always returns an access_token. If you add `access_type=offline&approval_prompt=force` to the authentication request, Auth0 forwards those parameters to Google, and Google also returns an refresh_token. We always stored the access_token in the user’s identity, which customers could use to all Google’s APIs. However, we did not store the refresh_token. We changed the behavior and also store the refresh_token when returned by Google. https://auth0.com/changelog#BEFj0aa6aSySNoKhmAuFa Tue, 13 Apr 2021 00:00:00 GMT Auth0 has released a public beta of Log Stream Flexibility Enhancements. This allows both the ability to start a new log stream from a certain point in time and to filter logs based on specific log type categories. You can enable the new feature in the [Auth0 Dashboard](https://manage.auth0.com/dashboard) and learn more in our [public docs](https://auth0.com/docs/logs/streams/event-filters) https://auth0.com/changelog#3ks0rPxzumRAmCfIjcFQYW Thu, 08 Apr 2021 00:00:00 GMT We added Thai, Turkish, Indonesian, Greek and Vietnamese language options to the New Universal Login flow. https://auth0.com/changelog#4h0CGdumXDwQ554anvGFPK Wed, 07 Apr 2021 00:00:00 GMT Organizations is a broad update to the Auth0 platform that improves support for Auth0 customers that build and maintain business-to-business and software-as-a-service applications.  Auth0 customers on our Enterprise and Startup subscription plans can now: - Represent the teams, business customers, and partners that use their applications as _organizations_ in Auth0 - Set up branded, federated login flows for each organization - Manage organization members in a variety of ways, including just-in-time membership and email invitations - Define roles to represent what end-users can do in their applications and assign those roles to organization members, so they can have different roles in different orgs - Build administration capabilities into their products so that administrators in those organizations can manage their own membership and access levels To learn more, have a look at the [announcement blog post](https://auth0.com/blog/introducing-auth0-organizations/) and [technical documentation](https://www.auth0.com/docs/organizations). https://auth0.com/changelog#5677bFxmh27MNT5cXSol2A Thu, 01 Apr 2021 00:00:00 GMT Brute-force Protection now supports Account Lockout mode which will block an account after too many consecutive failed login attempts. You can enable it in the [Auth0 Dashboard](https://manage.auth0.com/dashboard) You can learn more in our [public docs](https://auth0.com/docs/attack-protection/brute-force-protection) https://auth0.com/changelog#3FfE1blPq9tLxTYMINq2Cl Wed, 31 Mar 2021 00:00:00 GMT Auth0 now enables you to enhance your tenant’s security to provide your users with secure access to your applications from public and shared devices. When configured to create non-persistent sessions, the feature automatically terminates the session cookies when the user closes the browser. The session lifetime configuration at the tenant level controls the life of the server sessions. For more information take a look at our [public document](https://auth0.com/docs/sessions/non-persistent-sessions) https://auth0.com/changelog#5PlrjKuURKUaRccsiORpNz Wed, 31 Mar 2021 00:00:00 GMT WebAuthn with Device Biometrics for Multi-factor Authentication is now generally available. This enables users to use their WebAuthn-capable devices to complete MFA with their device's biometrics authenticators. You can enable it in the [Auth0 Dashboard](https://manage.auth0.com/#/security/mfa) You can learn more in our [public docs](https://auth0.com/docs/mfa/configure-webauthn-device-biometrics-for-mfa). https://auth0.com/changelog#oIERWkWLNUvmPpvEKVIwh Tue, 30 Mar 2021 00:00:00 GMT We've released a new user experience for managing tenant members, and a set of new [dashboard roles](https://auth0.com/docs/dashboard-access/feature-access-by-role) (available to enterprise plans) that cover a wider range of collaboration use cases. As part of this initiative, Auth0 is removing the Application Admin dashboard role, that allowed Admins to invite collaborators to the Auth0 dashboard with access to selected applications, as well as users and connections. The Application Admin role is no longer available for inviting new tenant members. Existing Application Admins will be able to keep their role until **September 30, 2021**. Refer to the [migration guide](https://auth0.com/docs/product-lifecycle/deprecations-and-migrations/migrate-tenant-member-roles) for more details. https://auth0.com/changelog#6RLEMLb77gHvlbEknjjbcE Thu, 25 Mar 2021 00:00:00 GMT Auth0 has released Always CAPTCHA option for Bot Detection This enables users to have more control over when CAPTCHA is presented on the login and sign-up flows. CAPTCHA can be used as an incident response method It is also possible to enable the Bot Detection risk assessors to gather information about bot traffic without challenging users with CAPTCHA. You can enable it in the [Auth0 Dashboard](https://manage.auth0.com/#/security/attack-protection/bot-detection) You can learn more in our [public docs](https://auth0.com/docs/attack-protection/set-attack-protection-preferences) https://auth0.com/changelog#3rPCQithaMDPkuzKXzZGsg Mon, 22 Mar 2021 00:00:00 GMT Today we're releasing the new version of our Management Dashboard navigation and layout after 3 months available as an opt-in experience. This experience improves our side and top navigation and takes advantage of our customer's screen real estate by adding a flexible layout and a collapsible sidebar. The experience will be enabled as the default experience for all new tenants and existing tenants that didn't explicitly opted out in the past. Tenant admins will be able to switch back to the legacy experience until May 2021 via the Feature Previews section in Tenant Settings. Read more about the changes and improvements [here](https://auth0.com/docs/get-started/dashboard/upcoming-dashboard-changes "Upcoming Dashboard Changes"). https://auth0.com/changelog#3Lk1BJBpBqVC0AQvzbTKDE Thu, 04 Mar 2021 00:00:00 GMT Beginning 10 May 2021, the public cloud Auth0 network edge will no longer accept TLS 1.0 or TLS 1.1 traffic. These legacy protocols are insecure, with well-known weaknesses and vulnerabilities within the industry. For maximum security, all Auth0 clients must upgrade to TLS 1.2 or later. The exact details and steps required will vary, depending on your application. For further details, see [Upgrade to TLS 1.2, what action to take?](https://community.auth0.com/t/upgrade-to-tls-1-2-what-actions-to-take/56547) posted in Auth0 Community. https://auth0.com/changelog#3rkombBZtMtikTAlxhz1of Wed, 03 Mar 2021 00:00:00 GMT We understand how critical Auth0’s services are for the success of your business. To support that and ensure end-users always have the ability to access your applications, we are excited to announce that we have updated our availability SLA to 99.99% across all Auth0 environments. The 99.99% availability guarantee applies to all enterprise production Auth0 tenants which means you can expect no more than 4 minutes of downtime for them per month. This is a significant improvement over our previous Public Cloud availability SLA of 99.90% which allowed for nearly 44 minutes of downtime per month. More details on the updated SLA can be reviewed in Auth0’s Service Level Description published at [https://auth0.com/legal](https://auth0.com/legal). We continue to invest in improving the resilience of its platform and the reliability of its application services. Visit [https://status.auth0.com/](https://status.auth0.com/) at any time to check the status of our platform. https://auth0.com/changelog#5p3tldtALhHezKhkm4SDqK Thu, 25 Feb 2021 00:00:00 GMT Starting this week, the following Extensions will no longer be available in the extension gallery: - Auth0 Deploy CLI Extension - Gitlab Deployments - Bitbucket Deployments - Github Deployments - Azure/Visual Studio Team Services Deployments We are replacing our deploy extensions with improved guides for a better developer experience. Deploy extensions were built at a time before automated code deployment services from web-based DevOps tools. With the advent of Gitlab Pipelines, Github Actions, Bitbucket Pipelines, and Azure Pipelines, the extensions we provide through the Auth0 Extensions Gallery are now obsolete in a world of automated CI/CD pipelines provided by SaaS partners. For developers who have already installed and configured these extensions, the services and solutions provided by these extensions will continue to work. For developers looking to employ the functionality previously provided through these extensions, we have created a series of guides available in the Auth0 Marketplace that provide a more custom and improved experience than the extensions provided. [GitLab Pipelines](https://marketplace.auth0.com/integrations/gitlab-pipeline "Auth0 Marketplace Gitlab Pipeline") [Github Actions](https://marketplace.auth0.com/integrations/github-actions "Auth0 Marketplace Github Actions") [Bitbucket Pipelines](https://marketplace.auth0.com/integrations/bitbucket-pipeline "Auth0 Marketplace Bitbucket Pipeline") [Microsoft Azure Pipelines](https://marketplace.auth0.com/integrations/azure-pipeline "Auth0 Marketplace Microsoft Azure Pipelines") With the Deploy CLI Extension, we received feedback from many customers that as our product evolved, the extension provided unnecessary additional friction to use the Deploy CLI. The Deploy Extension was intended to be a quick solution to creating an application in your dashboard to quickly connect your external Deploy CLI with your Auth0 instance, however, as the Deploy CLI evolved, so did the need for more customization in how the service connected. The functionality formerly found through the extension will now be served through the [Deploy CLI installation guide](https://auth0.com/docs/extensions/deploy-cli-tool/create-and-configure-the-deploy-cli-application-manually "Auth0 Deploy CLI Guide"). As always, be sure to regularly check the Auth0 Marketplace for all the ways you can use integrations to improve your Auth0 experience. https://auth0.com/changelog#1Eee2MQt0uQsfKCL27aDi5 Wed, 10 Feb 2021 00:00:00 GMT Auth0 has released WebAuthn with Security Keys for Multi-factor Authentication. This enables users to use with FIDO Security Keys to increase the security of their accounts. It is available for customers that have the Enterprise MFA add-on enabled. You can learn more in our [public docs](https://auth0.com/docs/mfa/configure-webauthn-with-security-keys-for-mfa). https://auth0.com/changelog#1sDyHsVk1cxQb3fYXPoXte Tue, 09 Feb 2021 00:00:00 GMT We have updated our login page to use the New Universal Login experience and to reflect the new [Auth0 Brand](https://auth0.design/). https://auth0.com/changelog#2OU3ML07gY9r4GeTVa9gn4 Mon, 08 Feb 2021 00:00:00 GMT Brute-force Protection now supports an AllowList to permit IP addressed of both v4 and v6 to bypass Brute-force blocking behavior. You can learn more in our [public docs](https://auth0.com/docs/attack-protection/brute-force-protection). https://auth0.com/changelog#5KBVZGSsk6zZB39kNXXZOe Fri, 05 Feb 2021 00:00:00 GMT A grant provides an application access to a resource on another entity without exposing user credentials. Tokens are issued in the context of a grant, and when a grant is revoked, so do all tokens issued in the context of that grant. When, on the other hand, a token is revoked, this does not necessarily mean that the grant is revoked. This feature allows the customer to decouple the revocation of refresh token from the revocation of the grant. When this feature is turned on, a refresh token revocation will result in the revocation of the grant that the token is associated with. If, on the other hand, the feature is turned off, then a refresh token revocation will keep the grant intact. For existing tenants, this feature is turned on by default to preserve the existing behavior. For new tenants, this feature is turned off by default to make sure that a revocation of a refresh token will not revoke the grant. If a grant revocation is needed, a separate request must be sent using an existing grant revocation endpoint. For more information, refer to the following documentation: [Refresh token and grants](https://auth0.com/docs/tokens/refresh-tokens/revoke-refresh-tokens#refresh-tokens-and-grants) https://auth0.com/changelog#7ouzdL7Xno6rW0Ych0Zir0 Fri, 05 Feb 2021 00:00:00 GMT Auth0's user profile has a property called `user.multifactor`, which was supposed to let you know if the user was enrolled in MFA or not. In the past, we only set the property the first time the user completed the MFA challenge, but not when the user enrolled or when MFA was reset. This behavior was fixed, and now the property is always up to date. You can reliably use it to know of the user is enrolled in MFA. https://auth0.com/changelog#6wJMBOrmzwk180ybvipCs1 Wed, 03 Feb 2021 00:00:00 GMT New built-in roles for dashboard members with limited privileges are generally available under enterprise plans, for improved access control. The new roles include: - __Admin__: Read and write access to all resources in the dashboard. - __Editor - Specific Apps__: Read and write access to specific applications only. - __Editor - Connections__: Read, write, and create access to all types of connections. - __Editor - Users__: User Management operations (create, delete, block, unblock, reset MFA, reset password, update metadata, assign roles, etc.) and access to logs. - __Viewer - Users__: Read-only access to users and logs - __Viewer - Config__: Read-only access to all configuration settings (applications, APIs, rules, security settings, etc.), except for sensitive information such as secrets, billings, users, and logs. Tenant members with limited privileges will see only the dashboard’s sections and actions that their respective roles support. They won't be able to see the tenant members section nor invite other members. You can read more about the specific permissions for each role in the [Auth0 documentation](https://auth0.com/docs/dashboard-access/dashboard-roles/feature-access-by-role). https://auth0.com/changelog#6fyzyMcU9pWYpgSsKDpdP0 Tue, 26 Jan 2021 00:00:00 GMT In order to improve security and prevent leaks, we have stopped displaying connections and MFA secrets in the Auth0 Dashboard after the configuration is saved. This change includes secrets from: - Enterprise connections - Social connections - Passwordless connections - Multi-factor authentication providers https://auth0.com/changelog#36DBSU1FawvAXs9PWiENJ1 Thu, 14 Jan 2021 00:00:00 GMT You can now configure the New Universal Login Experience to use an identifier-first flow, which supports Home Realm Discovery for enterprise connections. You can enable the new behavior in the [Universal Login section](https://manage.auth0.com/#/login_settings) of the Auth0 Dashboard. You can learn more in our [public documentation](https://auth0.com/docs/universal-login/identifier-first). https://auth0.com/changelog#7nHuUO9bBkMFoDL0kYYjzR Thu, 14 Jan 2021 00:00:00 GMT # Update to POST/api/v2/tickets/password-change With a optional `client_id` parameter, you can now generate password reset tickets to enable a "Back to <app name>" button with application specific redirect behaviors using New Universal Login.  [POST/api/v2/tickets/password-change](https://auth0.com/docs/api/management/v2/#!/Tickets/post_password_change) `client_id` is an optional parameter that is the ID of the application. If provided for tenants using New Universal Login experience, the user will be prompted to redirect to the default login route of the corresponding application once the ticket is used. See [Configuring Default Login Routes for more details](https://auth0.com/docs/universal-login/configure-default-login-routes#completing-the-password-reset-flow). https://auth0.com/changelog#2CVjMxa2SLFfbRMdCuj9Ke Fri, 18 Dec 2020 00:00:00 GMT You can now use CSS to hide or change the New Universal Login page logo from Page Templates. This enables scenarios like changing the logo depending on the application. You can learn more in [our docs](https://auth0.com/docs/auth0-email-services/manage-email-flow#css-customization). https://auth0.com/changelog#3CvlbwuCnBSRVuN2GPbmxS Fri, 18 Dec 2020 00:00:00 GMT We changed the layout of the Login page for the New Universal Login Experience. The Sign Up link is now rendered below the Continue button, instead of at the bottom of the page. The image below shows the previous an the current default login page:  To keep the rest of the pages consistent, we removed the footer section in all of them, and the links that were displayed in that section are now below the rest of the content. https://auth0.com/changelog#hDbp73otKHcHlLU6LNyic Wed, 16 Dec 2020 00:00:00 GMT Auth0 is excited to announce general availability of a new public cloud environment in Japan. The Auth0 Japan environment joins the US, EU and Australia environments previously available, enabling our customers to offer lower login latencies to their users within Japan and in neighboring countries. Auth0 customers can specify their preferred location by simply choosing the Japan region during the tenant creation process. The new Auth0 tenant created will have the `<tenant>.jp.auth0.com` domain name, and will enable customers to comply with legislation governing data regulation, privacy and consumer law.  https://auth0.com/changelog#2kjYN1ei9IcKiJ4pqpWU9a Tue, 15 Dec 2020 00:00:00 GMT Auth0 is proud to introduce Refresh Token Expiration, which includes two methods of expiring Refresh Tokens to balance security with usability: Absolute Expiration, and Inactivity Expiration. Absolute Expiration: When enabled, you can configure the absolute lifetime for refresh tokens, after which, the end-user must re-authenticate before being issued a new refresh token. When disabled, the absolute lifetime will be indefinite. Inactivity Expiration: When enabled, you can configure the inactivity lifetime for refresh tokens, which expires the refresh token if the user is not active in the application during the inactivity lifetime period. Using a combination of Inactivity Expiration with Absolute Expiration, you can easily configure shorter lifetimes for more secure applications, or create an experience for end-users whereby they have seemingly indefinite sessions as long as they are active regularly in your application. In addition, updated default settings for Refresh Tokens are applied to all new applications. To learn more about this capability, see our product documentation: https://auth0.com/docs/tokens/refresh-tokens/configure-refresh-token-expiration. https://auth0.com/changelog#MpHHZKh4BIbMsnWT8lf5S Mon, 14 Dec 2020 00:00:00 GMT Auth0 has released [Adaptive MFA](https://auth0.com/docs/mfa/adaptive-mfa "Adaptive MFA Documentation"), a new feature within the Multi-factor Authentication offering. Adaptive MFA allows customers to trigger Multi-factor Authentication based on a series of contextual risk scores, such as whether the user is signing in from an unknown device, or whether the user login is evidencing an impossible travel situation, or whether the user login happens from a risky IP. The feature also allows customers to access risk assessments in rules, which can be used to write custom business logic to trigger MFA. https://auth0.com/changelog#1dzOI95EyKJkn1dILMdKUz Wed, 09 Dec 2020 00:00:00 GMT We’re introducing improvements to the user experience of configuring Security related features in our Management Dashboard. Read more [here](https://auth0.com/blog/improving-the-way-you-configure-security-settings-in-the-dashboard/) __What changed?__ - Anomaly Detection section has been renamed to Attack Protection - Multi-factor Authentication and Attack Protection (Previously Anomaly Detection) have been moved under the new Security section - Attack Protection (Previously Anomaly Detection) and Multi-Factor Authentication features now present a refreshed and simpler configuration experience - Guides for crafting Security dashboards using our Log Streaming functionality are available under the Monitoring section https://auth0.com/changelog#4n4xnXvj7moD2YiNZP8164 Thu, 03 Dec 2020 00:00:00 GMT Correlation-ID support for Management API is now Generally Available. This feature allows for adding a unique identifier in management API calls related to changes to the Auth0 account. The same identifier is then available in event logs, allowing for an audit trail for such changes. You can see an example of how to use this feature in our [Management API docs](https://auth0.com/docs/api/management/v2). https://auth0.com/changelog#6Po2xQtd26bP7heOhiE3Mp Thu, 19 Nov 2020 00:00:00 GMT Starting November 19th, 2020 we now expose IPv6 addresses in our public endpoints e.g. acme.us.auth0.com. If a client request arrives at this endpoint from a machine which supports IPv6, then context.request.ip will show an IPv6 address. If you're currently perdforming ip address manipulation or checking manually, we encourage you to use [`ipaddr.js@1.9.0`](https://www.npmjs.com/package/ipaddr.js/v/1.1.0) which is already available by default in Rules, Hooks, and the Actions Beta. https://auth0.com/changelog#9bD90svQix7ZRFXY6nccg Tue, 17 Nov 2020 00:00:00 GMT Auth0 has released a native integration for [streaming event to Sumo Logic](https://auth0.com/docs/logs/streams/stream-logs-to-sumo-logic) via our Log Streaming feature. You can also use our [Sumo Logic App](https://auth0.com/docs/logs/streams/sumo-logic-dashboard) to get started with visualizing Auth0 event logs without any development effort. https://auth0.com/changelog#1dwdgvf6ItYZAo5wBs71lm Mon, 09 Nov 2020 00:00:00 GMT Auth0 has released public beta of WebAuthn with Device Biometrics for Multi-factor Authentication. This enables users to use their WebAuthn-capable devices to complete MFA by using their device's biometrics authenticators. You can enable it in the [Auth0 Dashboard](https://manage.auth0.com/#/mfa) You can learn more in our [public docs](https://auth0.com/docs/mfa/configure-webauthn-device-biometrics-for-mfa). https://auth0.com/changelog#4jN5PNx7R0hVDS0H4C2wd Mon, 09 Nov 2020 00:00:00 GMT Auth0 has released public beta of WebAuthn with Security Keys for Multi-factor Authentication. This enables users to use with FIDO Security Keys to increase the security of their accounts. You can learn more in our [public docs](https://auth0.com/docs/mfa/configure-webauthn-with-security-keys-for-mfa). https://auth0.com/changelog#4ta957VymfD7OFE8YS1qP5 Wed, 28 Oct 2020 00:00:00 GMT Auth0 provides an API to [generate MFA Enrollment Tickets](https://auth0.com/docs/mfa/auth0-guardian/create-custom-enrollment-tickets). The API generates a URL, which can be sent to end-users by email. Once users navigate to the URL, they are asked to enroll to MFA. In the past, the MFA enrollment page was rendered using the [Classic Universal Login Experience](https://auth0.com/docs/universal-login/classic-experience) even if [New Universal Login Experience](https://auth0.com/docs/universal-login/new-experience) was enabled. The behavior was changed, and the enrollment page will be displayed with the selected login experience. https://auth0.com/changelog#3DS4qkgx1j6PZ8MuOXMOLn Mon, 21 Sep 2020 00:00:00 GMT On September 21st, 2020 we launched the [Auth0 Marketplace](https://marketplace.auth0.com/), a new way to discover our growing catalog of solutions and integrations. Auth0 Marketplace makes it easier and faster to extend and customize your Auth0 solution. 🤞 Trusted — All of the integrations you find in the Marketplace are pre-validated by Auth0, so you know you can trust them. 🔎 Searchable — Not only can you easily search for an integration you want, but the Marketplace also makes it easy to browse for integrations that you may not even know you need! Browse through our trusted catalog of partner and third-party integrations to see how you can take your Auth0 solution to the next level with just a couple clicks. 👥 Open — We want the Marketplace to work for you. Do you have an integration in mind that's missing from the Marketplace? We'd love to hear from you! You can request an integration in our Community forum, or even submit your own! All submissions will be tested and vetted by Auth0 so that you can feel safe using the Marketplace. Keep following as we are adding new integrations to the Marketplace regularly. You can find the Marketplace at [https://marketplace.auth0.com/](https://marketplace.auth0.com/) For more information about the launch, check out our blog post: [Introducing the Auth0 Marketplace](https://auth0.com/blog/introducing-auth0-marketplace/). https://auth0.com/changelog#1YYV67SdttjtG2k2Xm5uOb Tue, 15 Sep 2020 00:00:00 GMT Auth0 has released a native integration for [streaming tenant event logs to Splunk](https://auth0.com/docs/logs/export-log-events-with-log-streaming/stream-logs-to-splunk) via our Log Streaming feature. You can also use our [Splunkbase App](https://splunkbase.splunk.com/app/5193/) to [get started](https://auth0.com/docs/logs/export-log-events-with-log-streaming/splunk-dashboard) with visualizing Auth0 event logs without any development effort. https://auth0.com/changelog#naWypVemCUWr6OEvFAADq Mon, 14 Sep 2020 00:00:00 GMT Dashboard Admins that opt-in to enable MFA for accessing the Auth0 Dashboard with an extra layer of security can now enroll additional factors as well as regenerate recovery codes to prevent being locked out of their account in case they lose their primary device. The MFA settins for Dashboard users can be configured in the [Profile Page](https://manage.auth0.com/#/profile). Learn more by reading our [docs](https://auth0.com/docs/get-started/dashboard/manage-dashboard-users#add-change-or-remove-mfa). Adding one or two phone numbers for SMS in addition to Push or OTP factors, as well as storing the backup code, is strongly recommended to prevent losing access to your account. https://auth0.com/changelog#5MZjPso6rrnKncEVcjMBV7 Thu, 10 Sep 2020 00:00:00 GMT Auth0’s Management APIv2 now provides a means to validate emails from users logging in _using any connection_. **What changed?** We added the option to specify a user identity when calling the following endpoints: **POST /api/v2/jobs/verification-email** [https://auth0.com/docs/api/management/v2#!/Jobs/post_verification_email](https://auth0.com/docs/api/management/v2#!/Jobs/post_verification_email) This jobs endpoint can be used when you want to leverage Auth0’s email templates to initiate an email verification flow. A new (optional) **identity** field can be specified in the payload. When specified, this will allow an email job to be created for a specific user identity within a user. The **identity** must include a **provider** and **user_id**. **POST /api/v2/tickets/email-verification** [https://auth0.com/docs/api/management/v2#!/Tickets/post_email_verification](https://auth0.com/docs/api/management/v2#!/Tickets/post_email_verification) If you prefer to leverage your own email capabilities, you can use this tickets endpoint to generate an email verification link to use in your custom flows. A new (optional) **identity** object field can be added to the payload. When specified, this will allow a ticket to be created for a specific user identity within a user. The **identity** must include a provider and **user_id**. By doing this, you can select a secondary, federated, or passwordless-email identity to be verified. Once the user verifies their email using Auth0, the `email_verified` flag associated with the provided identity will be set to `true`. Subsequent logins using a federated identity will not overwrite this value. If the identity being verified happens to be the primary identity of the user, the `email_verified` at the root of the user profile will also be set to true. **How does this affect me?** You can take advantage of this capability right away. If you choose not to specify an identity when initiating an email verification flow, no behavior will change. We will continue to only allow for verification of the primary identity of users belonging to the Auth0 IDP. **To explore these new capabilities, get started at: [Email Verified Usage](https://auth0.com/docs/users/guides/email-verified) or explore the [APIs ](https://auth0.com/docs/api/management/v2)** https://auth0.com/changelog#3aofaHb6jzjbcKKFZ3IyEK Sat, 05 Sep 2020 00:00:00 GMT You can now use a [Liquid Templates](https://shopify.github.io/liquid/) to customize the HTML content for the New Universal Login pages. This will allow you to: - Customize the background with gradients or background images - Change the page layout - Add a header or footer - Provide different content depending on the application or the universal login page Learn more in our [documentation](https://auth0.com/docs/universal-login/new-experience/universal-login-page-templates). https://auth0.com/changelog#1dYhS9Sb8yYgbfZ4tlbldl Tue, 25 Aug 2020 00:00:00 GMT Auth0 added limited support for wildcard use in Allowed Web Origins application URLs to make it easier for subscribers to test applications in CI/CD scenarios. Auth0 does not recommend using wildcards in application URLs for production applications; the [OAuth BCP](https://tools.ietf.org/html/draft-ietf-oauth-security-topics-14#page-11) states that exact URL matching is the safest approach. Read more in [Auth0 Support Center](https://support.auth0.com/notifications/5f456b8f619a29000ae23f25). https://auth0.com/changelog#3FxiiWLhaFtjBEgUWDpiRe Thu, 30 Jul 2020 00:00:00 GMT We added Czech, French (Canada), Hungarian, Polish, Romanian, and Slovak language options to the New Universal Login flow. https://auth0.com/changelog#4OcuGQYJi9SCsdUkZxTuvq Thu, 30 Jul 2020 00:00:00 GMT You can now provide end-users the option to get multi-factor authentication one-time codes using SMS or Voice calls. You can read more in our public [docs](https://auth0.com/docs/mfa/guides/configure-phone). https://auth0.com/changelog#5dbOPV9MWZWRkUrvB47Wwk Thu, 28 May 2020 00:00:00 GMT You can now add support for authenticating users with Facebook using the [Facebook SDK](https://developers.facebook.com/docs/apis-and-sdks/) in native applications. This improves the user experience, and allows your applications to comply with [Facebook's Platform Policies](https://developers.facebook.com/policy/). You can learn more in our [docs](https://auth0.com/docs/connections/nativesocial/facebook), the [iOS Quickstart](https://auth0.com/docs/quickstart/native/ios-swift-facebook-login) and the [Android Quickstart](https://auth0.com/docs/quickstart/native/android-facebook-login). https://auth0.com/changelog#5EKgGx9kzwBcmHjDXxfJzq Tue, 19 May 2020 00:00:00 GMT User MFA enrollments can be imported using either the [automatic migration](https://auth0.com/docs/users/guides/configure-automatic-migration) or the [bulk user imports](https://auth0.com/docs/users/guides/bulk-user-imports) method, allowing flexibility and control over the import process. The supported enrollment types are: - __Email:__ for [email](https://auth0.com/docs/mfa/concepts/mfa-factors#email-notifications) verification - __ Phone:__ for [SMS](https://auth0.com/docs/mfa/concepts/mfa-factors#sms-notifications) verification - __TOTP:__ for [One-Time Passwords (OTP)](https://auth0.com/docs/mfa/concepts/mfa-factors#one-time-passwords) used with authenticator applications, such as Google Authenticator, Microsoft Authenticator, Authy, Duo, etc. Get started by reading [Import Multi-Factor Authenticators](https://auth0.com/docs/mfa/guides/import-user-mfa) https://auth0.com/changelog#kmI6Hj7XhoYfS3gZXUVTY Mon, 11 May 2020 00:00:00 GMT Log streaming is now GA. You can now stream events to AWS Eventbridge, Datadog, and other targets using the Webhook. Additionally, we provide more visibility into stream health to help debug potential issues during stream setup. https://auth0.com/changelog#6QUVSMNnQdUv1gNhdVL0zH Mon, 11 May 2020 00:00:00 GMT Auth0 now supports integrating Log Streams with Datadog, and can stream your tenant's log events directly to your Datadog account in near real-time. https://auth0.com/changelog#b3GHxvKx4x5WweaDYMPtt Thu, 23 Apr 2020 00:00:00 GMT Auth0 subscribers can now rotate and revoke the Signing Keys that are used to sign assertions sent to their clients, via the Manage Dashboard or API. Read more in our [docs](https://auth0.com/docs/tokens/guides/manage-signing-keys). https://auth0.com/changelog#5N261JdhKfd0nadgoohDv2 Thu, 23 Apr 2020 00:00:00 GMT Auth0 now offers a way use any SMS Provider to deliver SMSs with a new extensibility Hook. Read more in our [docs](https://auth0.com/docs/hooks/extensibility-points/send-phone-message). https://auth0.com/changelog#1y97YcPS5OScQScEvISnsx Wed, 15 Apr 2020 00:00:00 GMT Auth0 now offers Refresh Token Rotation (RTR) with Reuse Detection, which provides a secure method for using refresh tokens in SPAs while providing end-users with seamless access to resources without the disruption in UX caused by browser privacy technology like ITP. RTR is available to all customers in public cloud as of April 15, 2020, and is scheduled to be available in Private Cloud in May. Read more about this on [our blog](https://auth0.com/blog/securing-single-page-applications-with-refresh-token-rotation/). https://auth0.com/changelog#7D76SCkOsvaTIYTFI28sV4 Thu, 27 Feb 2020 00:00:00 GMT Accelerate user migration with an enhanced bulk user import with expanded support for common password hashes. Auth0 enhanced bulk user import with expanded support for common password hashes. Auth0 now supports importing user passwords hashed with the following algorithms: Argon2, bcrypt (now supports custom number of salt rounds), HMAC, MD4, LDAP, MD5, PBKDF2, SHA1, SHA256, and SHA512. This enables you to import users to Auth0 from legacy systems without requiring end-users to reset their passwords. The new custom password object supports a wide array of parameters as well as the ability to upsert (or update) for subsequent import jobs. To get started go to [Bulk User Imports](https://auth0.com/docs/users/guides/bulk-user-imports). Want to check if we support the hashing algorithm you use? Go to [Bulk User Import Database Schema and Example](https://auth0.com/docs/users/references/bulk-import-database-schema-examples) for details on the specific hash algorithms, parameters, and encodings we support. https://auth0.com/changelog#2aRGMm0GTgAatY8SLgm1Rd Tue, 18 Feb 2020 00:00:00 GMT We've added support for directing users to the signup page in the New Universal Login Experience. Read [more](https://auth0.com/docs/universal-login/new#signup). https://auth0.com/changelog#7nNUzLkkXqQPXNVuHCTfTA Fri, 31 Jan 2020 00:00:00 GMT We now support Webhooks (Beta) for your log events! Auth0 can stream events to your callback URL in near real-time. https://auth0.com/changelog#5myG4r2zCgNwA6SFR1Wo9P Thu, 30 Jan 2020 00:00:00 GMT We've added support for creating and managing Auth0 hooks via the management API, the Node.js SDK, and the deploy-CLI tool. Read the [API Documentation](https://auth0.com/docs/api/management/v2#!/Hooks/get_hooks) and the [Deploy-CLI README](https://github.com/auth0/auth0-deploy-cli) for more details. https://auth0.com/changelog#5vbuePrdACZckUgrMe8eNc Mon, 06 Jan 2020 00:00:00 GMT We've added support for embedding passwordless login in Native and Regular Web Apps. Read [more](https://auth0.com/docs/connections/passwordless/guides/embedded-login). https://auth0.com/changelog#2DfALYdboJlzUWEDXm62PF Tue, 17 Dec 2019 00:00:00 GMT We’ve added a new extensibility hook: Post-Change Password Hook BETA Customers using [Database Connections](https://auth0.com/docs/connections/database), can implement custom actions that execute after an end-user changes their password or after a tenant admin updates an end-user’s password. For example, you can trigger an email to confirm a password change. Get started by checking out the documentation on hooks [here](https://auth0.com/docs/hooks). Or, if you are already familiar with hooks, browse the docs and code samples for the new [post-change password hook](https://auth0.com/docs/hooks/guides/post-change-password). https://auth0.com/changelog#7os8qbleRMt2lbFCM9aXr2 Wed, 04 Dec 2019 00:00:00 GMT We've added a [Text Customization API](https://auth0.com/docs/universal-login/text-customization) for the New Universal Login Experience. https://auth0.com/changelog#46nfBhzPBGirhBhWo5Pzyh Wed, 04 Dec 2019 00:00:00 GMT We've localized the New Universal Login Experience to [Hindi](https://auth0.com/docs/universal-login/i18n). https://auth0.com/changelog#eZplzJ9WKjYGaZMcZnz8b Tue, 03 Dec 2019 00:00:00 GMT Auth0 integration with [Amazon EventBridge](https://aws.amazon.com/eventbridge/) was announced, a serverless event bus. This new integration connects Auth0 event logs to a variety of AWS services in near real time, unlocking a variety of new use cases that support [event-driven](https://aws.amazon.com/event-driven-architecture/) and [microservices](https://aws.amazon.com/microservices/) application architectures. Learn more [here](https://auth0.com/docs/integrations/aws-eventbridge). https://auth0.com/changelog#2sdWh5YkVuxZCFPw3XBfO6 Tue, 05 Nov 2019 00:00:00 GMT We added email provider support for SparkPost EU version. This release enables tenants to use SparkPost’s email service hosted in EU region for localized data protection and transiting, and to be in full compliance with GDPR for emails. Learn more [here](https://auth0.com/docs/email/providers#configure-sparkpost). https://auth0.com/changelog#6nqzlU5EpBPqqWp5AfZau5 Mon, 04 Nov 2019 00:00:00 GMT Requests to Auth0 Management API v2 using access tokens issued for a Single Page Application (SPA) now have a dedicated rate limit of 10 requests per minute per user. To learn more about access tokens for SPAs go [here](https://auth0.com/docs/api/management/v2/get-access-tokens-for-spas) and to learn more about Auth0’s rate limit policy go [here](https://auth0.com/docs/policies/rate-limits). https://auth0.com/changelog#7JeZWYsdWKdICFRzqe6St9 Thu, 31 Oct 2019 00:00:00 GMT In order to make the Dashboard Administrators invite flow more secure and to avoid confusions, we are now enforcing that the email address of the user that logged in or signed up to accept the invite matches the email address that the invitation was sent to. https://auth0.com/changelog#2CQE6WhHT9WYex8WTf8ifO Wed, 30 Oct 2019 00:00:00 GMT Auth0 has made the following security enhancements to one-time-passcodes (OTP) for passwordless connections: - We will only accept the most current unused one-time password (or link) issued; any previous OTPs will expire once a new OTP is issued. - Users have three attempts to input the correct one-time password; any additional attempts will require a new OTP request. - OTPs for new passwordless connections are valid (by default) for three minutes before expiration. This time can be altered in the connection settings in the [dashboard](https://manage.auth0.com/). Read more about [passwordless connections](https://auth0.com/docs/connections/passwordless) or learn how to [troubleshoot passwordless connections](https://auth0.com/docs/connections/passwordless/reference/troubleshoot). https://auth0.com/changelog#70wXwpjN8SBU3j2yyLpOpa Tue, 15 Oct 2019 00:00:00 GMT We've added a calendar picker on the [Logs page in the dashboard](https://manage.auth0.com/#/logs). https://auth0.com/changelog#5puTw5r1vFGdWeegwiZO7 Thu, 26 Sep 2019 00:00:00 GMT Auth0 now enables application developers to easily integrate Sign in with Apple on both Native Apps and Web applications. SIWA for native applications is a new capability that uses an entirely native flow (the user is not required to log in using a browser; the entire exchange takes place natively) that includes an updated iOS SDK for iOS13, a [new QuickStart](https://auth0.com/docs/quickstart/native/ios-swift-siwa), configuration via the Auth0 Admin, and [updated documentation](https://auth0.com/docs/connections/social/apple). With this new capability, you can offer users a consistent login experience across all your applications using SIWA as a social identity provider. Support for SIWA is available to all customers effective today. Read more [here](https://auth0.com/blog/learn-how-to-implement-sign-in-with-apple-easily/). https://auth0.com/changelog#6SaP3lnWiK0GI2y69YqFzh Fri, 23 Aug 2019 00:00:00 GMT We've added a support for using DUO with Custom Domains . https://auth0.com/changelog#24ydAgLZrgTdd5OjHHAuGi Fri, 23 Aug 2019 00:00:00 GMT Our OIDC Enterprise Connection is out of beta. Please check the [documentation](https://auth0.com/docs/connections/enterprise/oidc) for more information. https://auth0.com/changelog#5jjvGOGjVJty8Hcmn9Cldm Thu, 22 Aug 2019 00:00:00 GMT Subscription plans in the [dashboard](https://manage.auth0.com) were updated with new pricing. Quota reports for External Active Users were added in the [Support Center](https://support.auth0.com/reports/quota) https://auth0.com/changelog#RXwVeocIu1QzfyyKtAwOd Wed, 14 Aug 2019 00:00:00 GMT We've added a new Social connection for LINE . Please check the [documentation](https://auth0.com/docs/connections/social/line) for more information. https://auth0.com/changelog#37QjJkhJX9S9PZY9OEU6kd Wed, 14 Aug 2019 00:00:00 GMT We've improved our beta OIDC Connection, by adding support for the Authorization Code flow. Please check the [documentation](https://auth0.com/docs/connections/enterprise/oidc) for more information. https://auth0.com/changelog#1CTbodQAmJiCHP2K9NonvQ Tue, 30 Jul 2019 00:00:00 GMT Auth0 enhanced [Bulk User Import](https://auth0.com/docs/users/guides/bulk-user-imports) to support bulk updating [select user attributes](https://auth0.com/docs/users/references/user-profile-structure#user-profile-attributes) using the upsert parameter. The upsert parameter can be either set to “true” or “false” during bulk user import and it impacts “pre-existing” users in Auth0. When using bulk user import for the first time you would not bother with upsert since it is only meant to update existing records. However, if you want to run an import again on existing users (by appending more users or upserting fields on existing users), the upsert parameter may be useful. You can use this to do things like update name values from marital status changes or add pictures. If upsert parameter is set to `false (default value)` during a bulk user import, pre-existing users that match on email address will not be updated. When set to `true`, pre-existing users that match on email address will be updated, but only with upsertable attributes. *Note: Prior to this release, if you used the upsert parameter and did not specify values for app_metadata, user_metadata or email_verified, those attributes would be replaced with null values.* With this update, upsert will not replace those attributes will null values and you can now more efficiently implement bulk user imports for the following select attributes. - app_metadata - email_verified - given_name - family_name - name - nickname - picture - user_metadata There is no action required by you and you can start taking better advantage of the Bulk User Import capability today. To get started check out the [Bulk User Imports](https://auth0.com/docs/users/guides/bulk-user-imports) documentation and to see a full list of attributes supported see our [User Profile Attributes](https://auth0.com/docs/users/references/user-profile-structure#user-profile-attributes). As with many other changes to our product, this improvement came from feedback from our valued community. So, if you have feedback on how we can continue to make our product better, please let us know through [this form](https://auth0.com/feedback). We're always listening and it is super easy! https://auth0.com/changelog#3mhf3NFyE2XdnZs36AbLka Tue, 23 Jul 2019 00:00:00 GMT Prior to this release when managing users via [Database Connection](https://auth0.com/docs/connections/database), [Bulk User Import](https://auth0.com/docs/users/guides/bulk-user-imports), or [Management API v2](https://auth0.com/docs/api/management/v2) the username field was restricted to alphanumeric characters, “+”, “.”, “_” and “-”. Auth0 added support for “!”, “#”, “$”, “'”, “^”, “`”, “~”, and “@”. In addition, [Auth0 Universal Login](https://auth0.com/docs/universal-login) supports these characters upon username registration to a Database Connection. This enhancement simplifies user migration from systems like Microsoft Azure Active Directory or custom databases, where usernames often contain special characters. At Auth0 we are always looking for ways to simplify onboarding and get started faster. There are no immediate changes you need to make to your existing setup and you can start taking advantage of this right away. To learn more, please visit our [Adding Username for Database Connections](https://auth0.com/docs/connections/database/require-username) documentation. This improvement came by way of feedback from people like you. We’d love to hear from you on how we can further improve the product. It is super easy and we’re always listening. Welcome you to contribute product feedback [here](https://auth0.com/feedback). https://auth0.com/changelog#1NqFITlAuUBMl9WZKE5H4b Mon, 15 Jul 2019 00:00:00 GMT We enhanced security with a new option in [advanced tenant settings](https://manage.auth0.com/#/tenant) to prevent exposure of registered user information Auth0 has released a security enhancement in your [advanced tenant settings](https://manage.auth0.com/#/tenant) that will help protect against exposure of registered user information. Bad actors may attempt to guess registered usernames or email addresses by reading error response codes such as `user_exists` in the public signup API.  You can set this option in your [advanced tenant settings](https://manage.auth0.com/#/tenant) in the Auth0 dashboard or via the [Management API v2](https://auth0.com/docs/api/management/v2). New tenants will have this option enabled by default. We highly recommend that you take advantage of this option to prevent exposure of personal information. To learn more, please visit our [Tenant Settings in the Auth0 Dashboard documentation](https://auth0.com/docs/dashboard/dashboard-tenant-settings). https://auth0.com/changelog#4ijQSDfJzfVZsQkfu9f8Fz Tue, 09 Jul 2019 00:00:00 GMT We've added a dropdown to filter logs by type on the [Logs page in the dashboard](https://manage.auth0.com/#/logs). https://auth0.com/changelog#6tBLj3Q3ArcowLV9wdM8ZF Mon, 24 Jun 2019 00:00:00 GMT We've shipped a beta version of an OIDC Connection, that makes it simple to federate to OIDC Identity Providers. Please see the [documentation](https://auth0.com/docs/connections/enterprise/oidc) for more information. https://auth0.com/changelog#1cpnNfvxn6YASiYANM4gkd Wed, 19 Jun 2019 00:00:00 GMT We've enhanced the platform by adding support for the OAuth 2.0 Device Authorization Grant (Device Flow). Device flow enables end-users to authorize input-constrained devices with Internet connectivity (http) to access protected resources such as streaming media, online services, or account information. Examples of input constrained devices include, but are not limited to Smart TVs, Media Players (AppleTV, Roku), some consumer IoT devices, and CLI applications with no access to a browser or graphical shell. For detailed information, please see the [documentation](https://auth0.com/docs/flows/concepts/device-auth) and the [tutorial](https://auth0.com/docs/flows/guides/device-auth/call-api-device-auth). You can also have a hands-on experience using the [Device Flow Playground](https://auth0.github.io/device-flow-playground), which enables you to experience the flow using your own tenant without having to write any code. https://auth0.com/changelog#2lONpDSrpmKRRgFzUDNaaC Wed, 19 Jun 2019 00:00:00 GMT The new Universal Login Experience is [Generally Available](https://auth0.com/blog/introducing-the-new-auth0-universal-login-experience/). Try it now to benefit from a reimagined login flow, a with a fresh UX design and lightweight pages. https://auth0.com/changelog#6f5Kw6h60vLEH7KVDFmQO Mon, 17 Jun 2019 00:00:00 GMT We've added [beta support](https://auth0.com/blog/try-sign-in-with-apple-in-your-auth0-apps-today/) for 'Sign in With Apple'. https://auth0.com/changelog#7GOZuz4WMXeM4PrUFrHsQP Wed, 12 Jun 2019 00:00:00 GMT We've [localized](https://auth0.com/docs/universal-login/i18n) the New Universal Login Experience. https://auth0.com/changelog#54ZTN6xIzZNLxWpsyqR9Vp Wed, 12 Jun 2019 00:00:00 GMT We've added support for using [Email as an MFA factor](https://auth0.com/docs/multifactor-authentication/factors/email) in the New Universal Login Experience. https://auth0.com/changelog#5JP8EDX3hTL4h017okwrEw Thu, 23 May 2019 00:00:00 GMT We've added a way to [enable clickjacking protection](https://auth0.com/docs/migrations/guides/clickjacking-protection) in Classic Universal Login. https://auth0.com/changelog#3vDiJUpCJ4yQeJV7jd7rof Thu, 23 May 2019 00:00:00 GMT We've added a way to [enable clickjacking protection](https://auth0.com/docs/migrations/guides/clickjacking-protection) in Classic Universal Login. https://auth0.com/changelog#4KlI5qPOIcacyqbQQTTEpu Tue, 07 May 2019 00:00:00 GMT Select user profile attributes may now be updated, thereby eliminating reliance on user_metadata for those fields. In addition, we've made importing users easier by allowing hashed passwords, user ID, and blocked status to be imported. For additional information, you can read more in the User Documentation for [Updatable Profile Attributes](https://auth0.com/docs/users/normalized/auth0/update-root-attributes) and [Bulk Import](https://auth0.com/docs/users/guides/bulk-user-imports). https://auth0.com/changelog#13T0Rel2rhBOSOaNbZ22YE Tue, 07 May 2019 00:00:00 GMT We've added support to configure the default tenant login URI and the Application Login URI in the dashboard.[Learn more](https://auth0.com/docs/universal-login/default-login-url). https://auth0.com/changelog#5cTMFOH2aHTI7KNrrEoF2A Tue, 07 May 2019 00:00:00 GMT We've added a [new API endpoint](https://auth0.com/docs/api/management/v2#!/Users/post_invalidate_remember_browser) to let you force MFA the next time a specific user logs in. https://auth0.com/changelog#3DZYVnbGnD2Kn4RsfstRfm Tue, 23 Apr 2019 00:00:00 GMT We've added encrypted secrets support to the Bitbucket Deployments extension, Github Deployments Extension, the Gitlab Deployments extension, and the Visual Studio Team Services Deployments extension. You can take advantage of encrypted secrets support by upgrading your extensions via the Auth0 Dashboard. For more information on how to utilize encrypted secrets, please see the extension documentation: - [Bitbucket Deployments Extension](https://auth0.com/docs/extensions/bitbucket-deploy#encrypt-secrets)- [Github Deployments Extension](https://auth0.com/docs/extensions/github-deploy#encrypt-secrets)- [Gitlab Deployments Extension](https://auth0.com/docs/extensions/gitlab-deploy#encrypt-secrets)- [Visual Studio Team Services Deployments Extension](https://auth0.com/docs/extensions/visual-studio-team-services-deploy#encrypt-secrets) https://auth0.com/changelog#lDCMsA2bY1FXSoOfNltOH Tue, 23 Apr 2019 00:00:00 GMT We've added support for custom domain names to the Delegated Admininistration extension and the SSO Dashboard extension. You can take advantage of custom domain support by upgrading your extensions via the Auth0 Dashboard. For more information on how to utilize custom domain names, please see the extension documentation: - [SSO Dashboard](https://auth0.com/docs/extensions/sso-dashboard#install-the-extension)- [Delegated Administration](https://auth0.com/docs/extensions/delegated-admin/v3#install-and-configure-the-extension) https://auth0.com/changelog#le2UeKIG85ysUhhexnRV8 Tue, 23 Apr 2019 00:00:00 GMT We've added ES9 linting support to the Rules editor. The Rules web editor now supports linting in ECMAScript 9 syntax when used with Node.js 8. https://auth0.com/changelog#5VDhvslAWfpvK8593SmWRn Mon, 08 Apr 2019 00:00:00 GMT We've added more granularity to the M2M reports. Now a daily view of calls per application, for the last 7 days in Machine to Machine quota reports is available. This is reflected in the Support Center's [quota](https://support.auth0.com/reports/quota) reports. https://auth0.com/changelog#7JnJ5wz2k42g9cHhxhCx4p Tue, 19 Mar 2019 00:00:00 GMT We've added support to use Azure AD + MS Graph for Microsoft Social connections. [Learn more](https://auth0.com/docs/migrations/guides/liveid-api-deprecation). https://auth0.com/changelog#1LoIe7Uy6W6QjmNXXyBOGE Mon, 18 Mar 2019 00:00:00 GMT We've have added roles and permissions to the core capabilities of Auth0. In authorization, a user or application is granted access to an API after the API determines the extent of the permissions that it should assign. Usually, authorization occurs after identity is successfully validated through authentication so that the API has some idea of what sort of access it should grant. More information is available in the updated [documentation](https://auth0.com/docs/authorization). https://auth0.com/changelog#5iYlUVVSOGcCiIsrAvW0N4 Tue, 12 Mar 2019 00:00:00 GMT We've enhanced Auth0 rules so that they can now leverage the MFA context stored in the user session to trigger or suppress MFA prompts in conjunction with silent authentication. Many organizations want to use silent authentication in conjunction with MFA whereby the end-user is prompted for MFA during the initial authentication, but not prompted for MFA when renewing tokens during the session lifetime. With MFA context now available in rules, you can check to see if MFA was previously completed (and when), thereby enabling a superior and secure MFA + silent authentication experience for end-users. More information is available in the updated [documentation](https://auth0.com/docs/rules/references/context-object), the sample rule available in the [Auth0 dashboard](https://manage.auth0.com/#/rules/create), and in the [Auth0 Support Center](https://support.auth0.com/notifications/5c88930bb69adf000bded51c) https://auth0.com/changelog#JcKp1uMUV3hpDWP88mHyz Wed, 27 Feb 2019 00:00:00 GMT We've extended Auth0 session limits for Enterprise subscribers. Enterprise subscribers are now able to set longer session limits with up to 100 days for Inactivity Timeout (idle_session_lifetime) and 365 days for Forced Logout (session_lifetime). More information is available in the updated [documentation](https://auth0.com/docs/sso/current/configure-session-lifetime-limits) and in the [Support Center](https://support.auth0.com/)</> https://auth0.com/changelog#mdwP6lKiEUEt99vaK2Yzk Mon, 25 Feb 2019 00:00:00 GMT Fixed error handling in Dashboard’s Logs Search. Also fixed search hint and added link to [Query Syntax doc](https://docs.auth0.com/logs/query-syntax). https://auth0.com/changelog#7HII1tcM2i8b5A6W4orv1d Fri, 15 Feb 2019 00:00:00 GMT We've added support to use LinkedIn API v2 to authenticate. [Learn more](https://auth0.com/docs/migrations/guides/linkedin-api-deprecation). https://auth0.com/changelog#2hHMzJjVKLrW4ITTXMW8Br Thu, 24 Jan 2019 00:00:00 GMT Fixed quota utilization report for Private SaaS Employees in Support Center. Previously employees were included on the Enterprise or Regular active users reports, with this fix the Private SaaS employees usage will be accessible on the Employees report as expected. This is reflected in the Support Center's [quota](https://support.auth0.com/reports/quota) reports and will provide usage for appliances that are upgraded to version 1901 https://auth0.com/changelog#33FfuYdPecepTeBFdxaM4q Thu, 03 Jan 2019 00:00:00 GMT We added a way to specify the default login URL for applications and tenants. Auth0 will use when it needs to redirect to them. More details in the [docs](https://auth0.com/docs/hosted-pages/default-login-url). https://auth0.com/changelog#7h50tfy1d017GEIXpIGdzh Mon, 03 Dec 2018 00:00:00 GMT We've updated the Multi-factor Authentication section in the Dashboard. For more details check [our post in Auth0 Community](https://community.auth0.com/t/improvements-in-the-dashboard-mfa-section/18398), and [our public Docs](https://auth0.com/docs/multifactor-authentication). https://auth0.com/changelog#4XtTy4P6vTUL8YQODK8fUT Fri, 26 Oct 2018 00:00:00 GMT Version 2 of the Deploy CLI has been released! For complete details please see the [Deploy CLI README](https://github.com/auth0/auth0-deploy-cli#whats-new-in-version-2). You can upgrade to this version by installing via npm: `npm i -g auth0-deploy-cli@2`. The Deploy CLI tool and Deployment Extensions were updated to provided the following functionality. - Added YAML support- Added support for export (deprecation of separate auth0 dump tool)- Delete support - The tool will, if configured via `AUTH0_ALLOW_DELETE`, delete objects if they do not exist within the deploy configuration.- Support for additional Auth0 objects - Connections including Social, Enterprise and Passwordless configurations. - Improved support for database connections and associated configuration. - Email Templates - Email Provider - Client Grants - Rule Configs - Better support for pages - Tenant level settings - Added support to be called programmatically- Improved logging- To simplify the tool the slack hook was removed. You can invoke the tool programmatically to support calling your own hooks- Support referencing clients by their name vs client_id (automatic mapping during export/import)- Simplified to support future Auth0 object types https://auth0.com/changelog#wgb4j21tc8Kr8whnCZ6uw Wed, 24 Oct 2018 00:00:00 GMT We’ve updated our ticketing backend system in order to provide a better support experience to our customers. Although this is an internal migration, you may notice some minor changes in [Support Center](https://support.auth0.com): - We've changed the numbering scheme of the support tickets and they are now 8 digits long.- We assigned new IDs to the existing tickets, which may affect any email notification related to your open tickets. You will still be able to find your existing tickets by their original ID in the Support Center's [Tickets List](https://support.auth0.com/tickets) page.- Any link to an existing ticket in Support Center will continue to work and will redirect you to the new URL.- We’ve renamed the `open` ticket status to `in progress`.- We’ve renamed the `solved` ticket status to `resolved`.- We’ve renamed the `hold` ticket status to `customer hold`.- We’ve added a new `with sustainment` status to provide visibility whenever the Auth0 Sustainment Engineering team is working on your case.- The attachments that you may add to tickets and comments will be effectively uploaded **after** you submit the ticket or comment. Any error that may occur during the upload will require you to retry the upload by submitting a new comment.- When selecting a file to upload we now validate its size is less than 15Mb, it doesn’t contain invalid characters in its name and it has at least one of the following extensions: `bmp, csv, doc, docx, gz, gif, har, jpg, jpeg, json, mp4, mov, pages, pdf, png, ppt, pptx, rar, tar, tiff, tif, txt, xls, xlsx, xml, zip, htm, html`.- We now show **Auth0 Developer Support** as signature of any comment coming from the Auth0 Support Team, instead of showing the agent's name. If you have any feedback, it will be welcomed in our [Feedback page](https://auth0.com/feedback). https://auth0.com/changelog#7ixY8bdnUPN8aeZ1vh1Nb6 Wed, 03 Oct 2018 00:00:00 GMT We've made password policies more flexible by enabling the minimum length (number of required characters) to be set independently from other complexity options. Password policies can now require a greater number of characters (from 1-128) without requiring special or mixed-case characters. A common use-case is implementing pass phrases that have no special character requirements, where end-users can provide a series of words that are easy for them to remember, but difficult for hackers to guess. The National Institute of Standards and Technology (NIST) recommends that [password length is a greater indicator of over-all strength](https://auth0.com/blog/dont-pass-on-the-new-nist-password-guidelines/) than requiring numbers and special characters. Using the new minimum password length option, password policies can be configured to leverage extremely strong, high-entropy pass phrases that are easier for end-users to remember. More information is available in the updated [documentation](https://auth0.com/docs/connections/database/password-strength) and in the [Support Center](https://support.auth0.com/notifications/5bb51faa6d4855000abbd6ca)</> https://auth0.com/changelog#2qi9OnhmxZ8iGAX3vbMmaU Tue, 04 Sep 2018 00:00:00 GMT Additional connection information available in rule's context. Previously only connection name and strategy were available in the rule’s context object. Now it is also possible to access **connectionID**, **connectionMetadata** and two of the **connectionOptions**, **tenant_domain** and **domain_aliases**, *without* calling Management API to get the connection details. More details on the context schema can be found in the [Rules docs](https://auth0.com/docs/rules/current/context). We've also updated the [Check user email domain matches domains configured in connection](https://github.com/auth0/rules/blob/master/src/rules/check-domains-against-connection-aliases.js) rule template to make use of these enhancements.</> https://auth0.com/changelog#AYZMDUG90WEKRlLDoXsyd Thu, 23 Aug 2018 00:00:00 GMT Simplified SSO and provided additional configuration Added Seamless Single Sign-On support by eliminating the unnecessary confirmation dialog for people with an active session. In addition, we've added control over the Inactivity timeout length and consolidated all of the SSO session controls on the advanced tenant settings page. More details in the [SSO docs](https://auth0.com/docs/sso/current). https://auth0.com/changelog#67MtexJLgngCzy2SrIsDe4 Wed, 15 Aug 2018 00:00:00 GMT Changed the ticket categorization on the ticket creation form. For the purpose of improving the way we capture the information on the ticket we have made some changes to the ticket creation form. You can view the new changes in the [open ticket page](https://support.auth0.com/tickets/new). https://auth0.com/changelog#5V2bx4WCCvVOMTucYnh1xH Mon, 13 Aug 2018 00:00:00 GMT Changed how we count active users. Previously we counted each Active User that logged into each client/application in a tenant. If your tenant had App A and App B, and one user logged into both apps, that would count as two Active Users. Moving forward we will count per Active User within a tenant and no longer count per client/application. If your tenant has App A and App B and one user logs into both apps, they will be counted as one Active User. This is reflected in the Support Center's [quota](https://support.auth0.com/reports/quota) and [usage](https://support.auth0.com/reports/usage) reports, in the [Auth0 Pricing Page](https://auth0.com/pricing) and the [Management Dashboard Subscriptions Section](https://manage.auth0.com/#/tenant/billing/subscription). More info can be found on our [docs](https://auth0.com/docs/policies/billing). https://auth0.com/changelog#UEbEbmQEYQN8AWO4ipoel Thu, 12 Jul 2018 00:00:00 GMT Version 3 of the Delegated Administration Extension was released. For complete details please see the [Delegated Admin docs](https://auth0.com/docs/extensions/delegated-admin/v3). You can upgrade to this version by visiting the Extensions section in the Manage Dashboard. No configuration changes are anticipated to be required for the upgrade. https://auth0.com/changelog#4IGN6WFUkuvTa91k5gtoiL Thu, 28 Jun 2018 00:00:00 GMT Improved Dashboard UX for Machine to Machine Applications. More details in the [Machine to Machine docs](https://auth0.com/docs//applications/machine-to-machine). https://auth0.com/changelog#69wIkaMWvuUJZXbHJcURWK Fri, 22 Jun 2018 00:00:00 GMT Improved Quickstarts Download Page. https://auth0.com/changelog#1mnaZBip1Iqjmzwqet7Quf Wed, 23 May 2018 00:00:00 GMT Implemented a new MFA API. Embed Multi-Factor Authentication using push notifications, SMS, or TOTP anywhere, taking full control of the experience. More details in the blog: [https://auth0.com/blog/introducing-the-mfa-api](https://auth0.com/blog/introducing-the-mfa-api/). https://auth0.com/changelog#5vLweKGmLC9aKtYnsceVxm Fri, 11 May 2018 00:00:00 GMT Implemented support for Passwordless connections, AP/LDAP connections and WS-Fed clients in Custom Domains. Here is the [list of features supported by Custom Domains>](https://auth0.com/docs/custom-domains#features-supporting-use-of-custom-domains) https://auth0.com/changelog#5nYBZFH48s77U0ImTsn5ZH Wed, 02 May 2018 00:00:00 GMT Enabled self-service customers to pay for Machine to Machine applications. Previously it was a feature only available to Enterprise users. This is reflected in the [Auth0 Pricing Pages](https://auth0.com/pricing) and in the [Management Dashboard Subscriptions Sections](https://manage.auth0.com/#/tenant/billing/subscription). https://auth0.com/changelog#t7Pmf8AfC2XNgVnjPDBVg Fri, 13 Apr 2018 00:00:00 GMT Renamed the term Clients to Applications. This change is reflected throughout the Dashboard and documentation only and does not require any changes on your part. https://auth0.com/changelog#6suJjfJrDuEGQ0mtdAHJsY Thu, 22 Mar 2018 00:00:00 GMT Added the ability to define Custom Domains for your Auth0 tenant. More details in the blog [https://auth0.com/blog/introducing-custom-domains-preview-with-auth0](https://auth0.com/blog/introducing-custom-domains-preview-with-auth0). https://auth0.com/changelog#NT7GUOVDVl1lAESSsYxCy Fri, 26 Jan 2018 00:00:00 GMT A new Auth0 Spring Security API SDK is now available to help you secure your API using JSON Web Tokens. See the [changelog entry](https://github.com/auth0/auth0-spring-security-api/blob/master/CHANGELOG.md#100-2018-01-26) for more information. https://auth0.com/changelog#1F2XpkdqMYnHbeMgzul3HX Thu, 18 Jan 2018 00:00:00 GMT wp-auth0 - Updated to support Lock 11 and RS256 JWT. See the [changelog entry](https://github.com/auth0/wp-auth0/blob/master/CHANGELOG.md#340-2018-01-08) for more information. https://auth0.com/changelog#1Biw6FkwNRMjXaqcUAZ9Q3 Fri, 05 Jan 2018 00:00:00 GMT Improved Credentials Manager, deprecated touch method and replaced with bio authentication method for clarity. See the [changelog entry](https://github.com/auth0/Auth0.swift/blob/master/CHANGELOG.md#1100-2018-01-05) for more information. https://auth0.com/changelog#7iyikO99Wty0VGPh7pyXbb Thu, 21 Dec 2017 00:00:00 GMT Updated to use auth0.js v9.0.0 and the new API endpoints. Changed the default `scope` to be `openid profile email`. Removed `oidcConformant` flag (Lock won't use legacy endpoints anymore). `getProfile` now uses an access_token instead of an id_token. **Lock v11 is not supported in centralized login scenarios (i.e. Hosted Login Pages).** See the [changelog entry](https://github.com/auth0/lock/blob/master/CHANGELOG.md#v1100-2017-12-21) for more information. https://auth0.com/changelog#4mybnPqKkGlkHyXg4SuO5 Thu, 21 Dec 2017 00:00:00 GMT Auth0.js v9 uses our latest embedded login API. This version removes API calls to `usernamepassword/login` and `user/ssodata` and is not supported in centralized login scenarios (i.e. Hosted Login Pages). Some methods now use a mix of Cross Origin Authentication and `WebAuth.checkSession` (with Web Origins response mode). Read more about Cross Origin Authentication and how to enable Web Origins [here](https://auth0.com/docs/cross-origin-authentication). See the [changelog entry](https://github.com/auth0/auth0.js/blob/master/CHANGELOG.md#v900-2017-12-21) for more information. https://auth0.com/changelog#24MQOTmA33MN69ICcfbkcE Thu, 30 Nov 2017 00:00:00 GMT The Auth0-Java SDK adds support for the new users-by-email endpoint. It also allows to set a custom user id when creating a new user using the Management API, and includes a change in the Authentication API Sign Up methods' returned value that someone might find breaking. This change was required in order to return the just created user's information. See the [changelog entry](https://github.com/auth0/auth0-java/blob/master/CHANGELOG.md#140-2017-11-30) for more information. https://auth0.com/changelog#2bizZamCMDOQyjZPxtct5t Fri, 17 Nov 2017 00:00:00 GMT The Auth0.Android SDK adds support for TLS 1.2. See the [changelog entry](https://github.com/auth0/Auth0.Android/blob/master/CHANGELOG.md#1120-2017-11-17) for more information. https://auth0.com/changelog#6TIEfQEAdOSFIW083FCZJY Mon, 13 Nov 2017 00:00:00 GMT Updated to use auth0.js v8.11. Updated to use auth0.js token validation functions. See the [changelog entry](https://github.com/auth0/lock/blob/v10/CHANGELOG.md#v10240-2017-11-08) for more information. https://auth0.com/changelog#21NNzGiGjMPdXHBcjkwnpg Fri, 10 Nov 2017 00:00:00 GMT Version 0.3.0 of jwks-rsa-java has been released, where JWKs parameters 'key_ops' and 'alg' are now parsed according to the [specification](https://tools.ietf.org/html/rfc7517). https://auth0.com/changelog#ALKAPhR4voiCnDTdYIfsS Thu, 09 Nov 2017 00:00:00 GMT Security Improvements: - Fixed an issue where state would not be automatically checked in some scenarios- Forced id_token validation for RS256-signed id_tokens- Use /userinfo to get id_token payload for HS256-signed id_tokens See the [changelog entry](https://github.com/auth0/auth0.js/blob/v8/CHANGELOG.md#v8110-2017-11-07) for more information. https://auth0.com/changelog#7p1f2ZBZHQPh6o9xnlrQvI Mon, 06 Nov 2017 00:00:00 GMT The Java-JWT SDK fixes an issue affecting the length and format of the signatures produced by the Elliptic Curve Digital Signature Algorithm. See the [changelog entry](https://github.com/auth0/java-jwt/blob/master/CHANGELOG.md#330-2017-11-06) for more information. https://auth0.com/changelog#3uKX5Jvab84ogFxrmmKhPT Thu, 19 Oct 2017 00:00:00 GMT Lock for Android fixes navigation issues on non-touchscreen devices and adds support for right-to-left languages. See the [changelog entry](https://github.com/auth0/Lock.Android/blob/master/CHANGELOG.md#280-2017-10-19) for more information. https://auth0.com/changelog#6bdrVZzbi4CXijH341zb2F Thu, 19 Oct 2017 00:00:00 GMT Auth0.swift - Added SFAuthenticationSession support for iOS 11. See the [changelog entry](https://github.com/auth0/Auth0.swift/blob/master/CHANGELOG.md#190-2017-10-19) for more information. https://auth0.com/changelog#4mkc6mu2MGXqfwCxaGs4uf Wed, 18 Oct 2017 00:00:00 GMT The Auth0.Android SDK adds a new and more secure Credential Manager implementation that uses encryption, available for devices running Android Lollipop and above. This release also allows users to customize the Custom Tabs UI by changing the toolbar color and page title visibility from the WebAuthProvider builder. See the [changelog entry](https://github.com/auth0/Auth0.Android/blob/1.11.0/CHANGELOG.md#1110-2017-10-17) for more information. https://auth0.com/changelog#79W9RYRMadDbOIH7dpO8CB Thu, 05 Oct 2017 00:00:00 GMT The Auth0.Android SDK fixes a few bugs in the authentication flow and activity state when using Chrome Custom Tabs. See the [changelog entry](https://github.com/auth0/Auth0.Android/blob/1.11.0/CHANGELOG.md#1101-2017-10-05) for more information. https://auth0.com/changelog#57h516YpUjt0E1mW6BtN4 Thu, 05 Oct 2017 00:00:00 GMT wp-auth0 - Fixed implicit mode in auto login and improved handling of auto login configuration. Added translation support for more user facing exception messages. See the [changelog entry](https://github.com/auth0/wp-auth0/blob/master/CHANGELOG.md#332-2017-10-05) for more information. https://auth0.com/changelog#596Gi4SzHlUVrVsZ6NuxMv Wed, 27 Sep 2017 00:00:00 GMT JWTDecode.swift - Added Xcode 9 compatibility. See the [changelog entry](https://github.com/auth0/JWTDecode.swift/blob/master/CHANGELOG.md#210-2017-09-27) for more information. https://auth0.com/changelog#2vD6qgXX5Xeo5oSzyThfzw Tue, 26 Sep 2017 00:00:00 GMT Adding support for OIDC Conformant clients using Cross Origin Authentication. See the [changelog entry](https://github.com/auth0/lock/blob/master/CHANGELOG.md#v10220-2017-09-26) for more information. https://auth0.com/changelog#5OhPzat5WTdkswpcRnZSoQ Thu, 21 Sep 2017 00:00:00 GMT Small UI fixes and improvements with the `connectionResolver` feature. See the [changelog entry](https://github.com/auth0/lock/blob/master/CHANGELOG.md#v10210-2017-09-21) for more information. https://auth0.com/changelog#J6gFiBNEvpBvqetV6aMSc Wed, 20 Sep 2017 00:00:00 GMT Lock.swift - Added Xcode 9 compatibility, various fixes to the database SignUp process. See the [changelog entry](https://github.com/auth0/Lock.swift/blob/master/CHANGELOG.md#240-2017-09-20) for more information. https://auth0.com/changelog#VKA0eerBIuqFm9hCY7Dky Mon, 18 Sep 2017 00:00:00 GMT Fixed tenant override in popup mode. Also fixed the timeout override when using the `renewAuth` method. See the [changelog entry](https://github.com/auth0/auth0.js/blob/master/CHANGELOG.md#v8100-2017-09-18) for more information. https://auth0.com/changelog#7xvGwtVE0jx4mRpJnmW9CP Mon, 18 Sep 2017 00:00:00 GMT Added the ability to set the user_id during user creation using the User Management API. For more information, check [our documentation](https://auth0.com/docs/api/management/v2#!/Users/post_users). https://auth0.com/changelog#5lEtFVeQW0nosF3VO4YvrL Fri, 15 Sep 2017 00:00:00 GMT Auth0.swift - Added Xcode 9 support. See the [changelog entry](https://github.com/auth0/Auth0.swift/blob/master/CHANGELOG.md#180-2017-09-15) for more information. https://auth0.com/changelog#6DcNKvTnO6JBK1dg8A499I Fri, 08 Sep 2017 00:00:00 GMT The Auth0-Java SDK adds support for the Management API Grants entity. See the [changelog entry](https://github.com/auth0/auth0-java/blob/master/CHANGELOG.md#130-2017-09-08) for more information. https://auth0.com/changelog#6HnBVu2BEK0Zmx99qGdWJL Wed, 23 Aug 2017 00:00:00 GMT New clients created in the dashboard will default to OIDC Conformant. The full list of changes this implies can be found [here](https://auth0.com/docs/api-auth/tutorials/adoption/oidc-conformant). https://auth0.com/changelog#5S2Y9FHduTrjy9QwXrHCtc Fri, 11 Aug 2017 00:00:00 GMT Fixed allowed Regular Expression for usernames. Also fixed custom themes for custom connections along with some UI improvements. See the [changelog entry](https://github.com/auth0/lock/blob/master/CHANGELOG.md#v10200-2017-08-11) for more information. https://auth0.com/changelog#6RFNGVrOZQwySXGIAfPWOA Thu, 10 Aug 2017 00:00:00 GMT Fixed snake casing `app_metadata` and `user_metadata` on sign up. See the [changelog entry](https://github.com/auth0/auth0.js/blob/master/CHANGELOG.md#v890-2017-08-10) for more information. https://auth0.com/changelog#3flSCjO0grdGedIeC2noJB Thu, 10 Aug 2017 00:00:00 GMT Added Cross Origin Authentication support to Passwordless connections. See the [changelog entry](https://github.com/auth0/auth0.js/blob/master/CHANGELOG.md#v890-2017-08-10) for more information. https://auth0.com/changelog#2cX9Sl009oRbmTAXkmBGvp Tue, 08 Aug 2017 00:00:00 GMT Added the ability to set the primary user in rules using `context.primaryUser`. Check [our documentation](https://auth0.com/docs/link-accounts#automatic-account-linking) for more information. https://auth0.com/changelog#7qTtVJovUuyi0yheOwuxZu Tue, 01 Aug 2017 00:00:00 GMT The [DELETE client grants endpoint](https://auth0.com/docs/api/management/v2#!/Grants/delete_grants_by_id) now allows to delete all grants for a given user by specifing the query string parameter `user_id`. https://auth0.com/changelog#DtYoxMKjuEN8ICawhllEi Thu, 20 Jul 2017 00:00:00 GMT Now the 'Use Auth0 for SSO' flag under Client Settings is disabled for OIDC Conformant clients. https://auth0.com/changelog#1XndI3VjF7uy47RGQc6jpu Wed, 19 Jul 2017 00:00:00 GMT The Auth0.Android SDK now makes use of 'Android Manifest Placeholders' to define the Domain and Scheme values required to automatically capture a Web Authentication result. See the [changelog entry](https://github.com/auth0/Auth0.Android/blob/master/CHANGELOG.md#1100-2017-07-19) for more information. https://auth0.com/changelog#5tjr67hMDsa1vepgmwRmQs Wed, 19 Jul 2017 00:00:00 GMT Lock for Android now makes use of 'Android Manifest Placeholders' to define the Domain and Scheme values required to automatically capture a Web Authentication result, like logging in using the Facebook connection. See the [changelog entry](https://github.com/auth0/Lock.Android/blob/master/CHANGELOG.md#270-2017-07-19) for more information. https://auth0.com/changelog#1eohyo5HZP5DcwdQ7mxR3s Tue, 18 Jul 2017 00:00:00 GMT Fixed an issue with the HRD input when using the back button. See the [changelog entry](https://github.com/auth0/lock/blob/master/CHANGELOG.md#v10190-2017-07-18) for more information. https://auth0.com/changelog#2E5PFxT0FRQO7zZ2IeRN1g Tue, 18 Jul 2017 00:00:00 GMT Added a new option called `connectionResolver`, which is used to resolve the desired connection on the fly instead of setting it beforehand. See the [changelog entry](https://github.com/auth0/lock/blob/master/CHANGELOG.md#v10190-2017-07-18) for more information. https://auth0.com/changelog#wqWdstcnDUAHzM2Dr0Dr9 Wed, 12 Jul 2017 00:00:00 GMT Lock for Android now features a 'show password' toggle button on the Password fields. See the [changelog entry](https://github.com/auth0/Lock.Android/blob/master/CHANGELOG.md#260-2017-07-12) for more information. https://auth0.com/changelog#1ZQvYWcqz35NY9QXpBr4XC Mon, 10 Jul 2017 00:00:00 GMT The Auth0.Android SDK will try to use Chrome Custom Tabs when possible. A helper class is included to easily manage Credentials. See the [changelog entry](https://github.com/auth0/Auth0.Android/blob/master/CHANGELOG.md#190-2017-07-10) for more information. https://auth0.com/changelog#3hPQcqMEvfb4Efln6bkdX5 Wed, 05 Jul 2017 00:00:00 GMT Fixed an issue where the ACR value was not being properly set when in a SAML context. https://auth0.com/changelog#41hlf8GmrAi0uUJKAjEt6V Fri, 30 Jun 2017 00:00:00 GMT MFA no longer incorrectly preventing brute-force anomaly detection count resets. https://auth0.com/changelog#5zxQlUHUbChZF9nkKxBdX1 Mon, 26 Jun 2017 00:00:00 GMT Auth0.swift - Added OIDC conformant UserInfo class and API method, added Touch ID validation for renewing credentials and added iOS 11 (Beta) support. See the [changelog entry](https://github.com/auth0/Auth0.swift/blob/master/CHANGELOG.md#170-2017-06-26) for more information. https://auth0.com/changelog#8b2pmuJILTRo9csGjDPML Fri, 23 Jun 2017 00:00:00 GMT Added more analytics events and also added a new option that enables a button that shows or obfuscates the password. See the [changelog entry](https://github.com/auth0/lock/blob/master/CHANGELOG.md#v10180-2017-06-23) for more information. https://auth0.com/changelog#7zi0IhKMF8KmzNCQwLh0fZ Fri, 23 Jun 2017 00:00:00 GMT Fixed an issue with Internet Explorer 11's autocomplete. Also fixed `connection_scope` not being passed to the authorize page. See the [changelog entry](https://github.com/auth0/lock/blob/master/CHANGELOG.md#v10180-2017-06-23) for more information. https://auth0.com/changelog#5jKU8RiPAB7yN3wlGW2L61 Thu, 22 Jun 2017 00:00:00 GMT Fixed an issue where the user was being asked to perform MFA despite having clicked the 'Remember Me' checkbox. https://auth0.com/changelog#6e3UdJdxm3iQabI0mgefsw Tue, 20 Jun 2017 00:00:00 GMT Fixed an issue with Passwordless connection inside the Hosted Login Page. See the [changelog entry](https://github.com/auth0/auth0.js/blob/master/CHANGELOG.md#v880-2017-06-20) for more information. https://auth0.com/changelog#36VsXRPJQ5nW9shYon0sqe Sun, 18 Jun 2017 00:00:00 GMT The [GET client grants endpoint](https://auth0.com/docs/api/management/v2#!/Grants/get_grants) now allows filtering by client id using the query string parameter `client_id`. https://auth0.com/changelog#2IJmLDLa70ssvclrwoQWo2 Wed, 14 Jun 2017 00:00:00 GMT Started emiting an `authorization_error` when username / password fails. Also fixed a few UI issues on mobile and some options overrides not being passed to auth0.js. See the [changelog entry](https://github.com/auth0/lock/blob/master/CHANGELOG.md#v10170-2017-06-14) for more information. https://auth0.com/changelog#53DUBvrS7zC4acRI7ykpIB Wed, 14 Jun 2017 00:00:00 GMT Added support for html formatting when using the `flashMessage` option. Also added a new option `allowAutoComplete` that enables the `autocomplete` html5 attribute in the username input. See the [changelog entry](https://github.com/auth0/lock/blob/master/CHANGELOG.md#v10170-2017-06-14) for more information. https://auth0.com/changelog#30vhxIeStoGKpQvJbVsl2H Tue, 06 Jun 2017 00:00:00 GMT Auth0.swift - Added Credentials Manager utility for secure management of tokens. Updated compatibility for Xcode 8.3 See the [changelog entry](https://github.com/auth0/Auth0.swift/blob/master/CHANGELOG.md#160-2017-06-06) for more information. https://auth0.com/changelog#fE33HOiVduVFj7GfHiiTp Tue, 06 Jun 2017 00:00:00 GMT Lock.swift - Added 1Password support for database connections. Greatly expanded Lock customization options. See the [changelog entry](https://github.com/auth0/Lock.swift/blob/master/CHANGELOG.md#230-2017-06-06) for more information. https://auth0.com/changelog#LpowqoIITizk8oVU9Xdkd Tue, 06 Jun 2017 00:00:00 GMT Added a new `client.grant_types` property to Auth0 Clients. With this change, Auth0 will restrict authentication and authorization flows based on the grant types associated with each client. All existing clients have been updated with all grant types for backward compatibility. New clients will be created with certain default grant types based on whether it is a public or confidential client (based on the `token_endpoint_auth_method` property). See [our documentation](https://auth0.com/docs/clients/client-grant-types) for more information. https://auth0.com/changelog#6PRsfS65aAvwLE7pOIVbgc Mon, 29 May 2017 00:00:00 GMT - Added support to query by identifier on `PATCH / GET / DELETE api/v2/resource-servers` endpoints.- Added pagination to `GET api/v2/clients` endpoint. https://auth0.com/changelog#2x39hgCgyRO1ehIznoPFju Mon, 29 May 2017 00:00:00 GMT Removed `client.resource_servers` from documented sample response. https://auth0.com/changelog#76fGNciFXvD7KLCxjz2nXn Wed, 24 May 2017 00:00:00 GMT Published new SDK for Java ([auth0-java-mvc-common](https://github.com/auth0/auth0-java-mvc-common)) to simplify the web authentication from Java MVC applications using either Code Grant or Implicit Grant. Supports HS256, and RS256 algorithms with optional Public Key Rotation. See the [changelog entry](https://github.com/auth0/auth0-java-mvc-common/blob/master/CHANGELOG.md#100-2017-05-24) for more information. https://auth0.com/changelog#3waYN2OiErE48BpXMe760z Wed, 24 May 2017 00:00:00 GMT The Java [Spring Security MVC](https://github.com/auth0/auth0-spring-security-mvc) SDK has been deprecated and will no longer be maintained. Development will continue on the [auth0-java-mvc-common](https://github.com/auth0/auth0-java-mvc-common) SDK. https://auth0.com/changelog#14sqxyvF1iuplVRCT0K5X9 Wed, 24 May 2017 00:00:00 GMT The Java [Spring MVC](https://github.com/auth0/auth0-spring-mvc) SDK has been deprecated and will no longer be maintained. Development will continue on the [auth0-java-mvc-common](https://github.com/auth0/auth0-java-mvc-common) SDK. https://auth0.com/changelog#2m9MVoIfgnhHTzKOYEMMmD Wed, 24 May 2017 00:00:00 GMT Added option `postMessageType` to filter iframe events in order to prevent incorrect events triggering the `renewAuth` callback. Also added support for Cross Origin Authentication. See the [changelog entry](https://github.com/auth0/auth0.js/blob/master/CHANGELOG.md#v870-2017-05-24) for more information. https://auth0.com/changelog#7L2CIew8XPwjWC7UBFvLxp Wed, 24 May 2017 00:00:00 GMT The Java [Servlet](https://github.com/auth0/auth0-servlet) SDK has been deprecated and will no longer be maintained. Development will continue on the [auth0-java-mvc-common](https://github.com/auth0/auth0-java-mvc-common) SDK. https://auth0.com/changelog#7nw4z5nCHK3SYWzcRmnnYj Wed, 24 May 2017 00:00:00 GMT Fixed some overriden options not being applied. Also fixed decoding babse64 strings with special characters. See the [changelog entry](https://github.com/auth0/auth0.js/blob/master/CHANGELOG.md#v870-2017-05-24) for more information. https://auth0.com/changelog#2ur1TVtITXgVBBgXvz0GXv Tue, 23 May 2017 00:00:00 GMT The Auth0-Java SDK adds support for the new OAuth 2.0 Renew and Revoke Token endpoints. The Guardian entity has also been improved. See the [changelog entry](https://github.com/auth0/auth0-java/blob/master/CHANGELOG.md#110-2017-05-23) for more information. https://auth0.com/changelog#4zfM1fDsGZmAkS7g7heIhB Thu, 11 May 2017 00:00:00 GMT - Officially dropped support for Microsoft’s Internet Explorer 10.- Fixed issue in the APIs section’s Test tab: changing languages in the code viewers now change the language properly.- Fixed visual issue with code editors backgrounds in the User Details section when using Chrome in Windows 10.- Fixed overflowing of text when users have huge strings without spaces or breaks in their External Attributes Object.- Fixed issue with Delete Account prompt showing a default domain name instead of the correct domain for that account.- Fixed issue with positioning for SAML connections list pagination controls.- Fixed issue when uploading custom logo in Tenant Settings section would crash the browser.- Fixed issue with users with special characters in their IDs that could not be seen in the dashboard.- Improved UI for User Identities in User Details: replaced the old JSON viewer for a better-looking code editor.- Fixed SAMLP default mappings example to avoid getting parsing errors by default.- Now the API section is displayed by default. https://auth0.com/changelog#436SSlqe3tmC4OX8CDEYco Tue, 09 May 2017 00:00:00 GMT New connection for PayPal Sandbox applications, it can be found in [Social Connections in dashboard](https://manage.auth0.com/#/connections/social) https://auth0.com/changelog#2OcNkUwwpUNvKdhVjD0EDV Mon, 08 May 2017 00:00:00 GMT The `postMessage` handler now supports parsing objects as well. See the [changelog entry](https://github.com/auth0/auth0.js/blob/master/CHANGELOG.md#v861-2017-05-08) for more information. https://auth0.com/changelog#2eQLEzzaMTtF4himCghKma Mon, 08 May 2017 00:00:00 GMT Fixed a few UI issues with long titles and error messages. See the [changelog entry](https://github.com/auth0/lock/blob/master/CHANGELOG.md#v10160-2017-05-08) for more information. https://auth0.com/changelog#HQbvgay115lniXMYgogXH Thu, 04 May 2017 00:00:00 GMT The Java-JWT SDK adds a 'Key Provider' interface to support dynamic RSA or ECDSA Keys, making easier the use of JWKs files for token verification. Long claims are also supported. From this release on, the JWT#decode static method will return a DecodedJWT object instead of a JWT object. See the [changelog entry](https://github.com/auth0/java-jwt/blob/master/CHANGELOG.md#320-2017-05-04) for more information. https://auth0.com/changelog#AvhhUSQNoxWE5ygTJ3xZB Thu, 27 Apr 2017 00:00:00 GMT The Auth0.Android SDK allows to revoke refresh_tokens. See the [changelog entry](https://github.com/auth0/Auth0.Android/blob/master/CHANGELOG.md#180-2017-04-27) for more information. https://auth0.com/changelog#1Aebdt7gk7D3ByyiCXGuTD Thu, 27 Apr 2017 00:00:00 GMT Lock for Android adds Paypal connection support and displays a Retry screen if it fails to load the Client settings. See the [changelog entry](https://github.com/auth0/Lock.Android/blob/master/CHANGELOG.md#250-2017-04-27) for more information. https://auth0.com/changelog#5ONrCFAwERXuJ46qdl1Uyn Tue, 25 Apr 2017 00:00:00 GMT Lock.swift - Added Passwordless SMS/Email connection support, paypal-sandbox connection support. See the [changelog entry](https://github.com/auth0/Lock.swift/blob/master/CHANGELOG.md#220-2017-04-25) for more information. https://auth0.com/changelog#2vTwLQCP18NkdbW7ducRsA Mon, 24 Apr 2017 00:00:00 GMT Added support for the paypal-sandbox strategy. See the [changelog entry](https://github.com/auth0/lock/blob/master/CHANGELOG.md#v10150-2017-04-24) for more information. https://auth0.com/changelog#SSjklontVNgpudXu9IoxO Mon, 24 Apr 2017 00:00:00 GMT Fixed an issue with `nonce` verification in the `renewAuth` method. See the [changelog entry](https://github.com/auth0/auth0.js/blob/master/CHANGELOG.md#v860-2017-04-24) for more information. https://auth0.com/changelog#0QfavkfjsKvzljx1yp62U Mon, 24 Apr 2017 00:00:00 GMT Fixed a few UI issues with mobile in landscape mode. See the [changelog entry](https://github.com/auth0/lock/blob/master/CHANGELOG.md#v10150-2017-04-24) for more information. https://auth0.com/changelog#5o3af4qfmRZYMJKuBuSiJe Wed, 12 Apr 2017 00:00:00 GMT Server-side resource-owner password flows that use brute-force detection can now prevent erroneous blocking scenarios by utilizing the 'auth0-forwarded-for' header. See the [documentation](https://auth0.com/docs/api-auth/tutorials/using-resource-owner-password-from-server-side) for more details. https://auth0.com/changelog#bJTX0xF2lHARhfa5qpUWu Thu, 06 Apr 2017 00:00:00 GMT The Auth0.Android SDK on the event of a Rule error while trying to authenticate will parse any rule-defined custom error message. See the [changelog entry](https://github.com/auth0/Auth0.Android/blob/master/CHANGELOG.md#170-2017-04-06) for more information. https://auth0.com/changelog#4c8eDC5ZTiooCwpcRGCOCH Wed, 05 Apr 2017 00:00:00 GMT - Fixed outdated link in Sharepoint SSO Integration tutorial page.- Improved error message in the [Email Templates section](https://manage.auth0.com/#/emails) when the `from` field is not properly filled.- Fixed UI for form validations so they don’t linger after a successful submission of the form.- Added `read:user_idp_tokens` to available scopes for the [Management API](https://manage.auth0.com/#/apis/management/scopes). https://auth0.com/changelog#5rEtxm7Dy4hMov4PEgJLBD Wed, 05 Apr 2017 00:00:00 GMT Added multifactor authentication capabilities to the oauth/token endpoint. See the [documentation](https://auth0.com/docs/api-auth/tutorials/multifactor-resource-owner-password) for more details. https://auth0.com/changelog#7pq08bmoKMXEA08qzBAXFO Mon, 27 Mar 2017 00:00:00 GMT Fixed an issue with the error handling callback. See the [changelog entry](https://github.com/auth0/auth0.js/blob/master/CHANGELOG.md#v850-2017-03-27) for more information. https://auth0.com/changelog#4eDyBwS9bsunWX2BwAvgf0 Mon, 27 Mar 2017 00:00:00 GMT Auth0.swift - Added method to check native authentication availability for IdP on device. See the [changelog entry](https://github.com/auth0/Auth0.swift/blob/master/CHANGELOG.md#150-2017-03-27) for more information. https://auth0.com/changelog#1ozHL7GQLzlsqmxLWNp3AI Mon, 27 Mar 2017 00:00:00 GMT Fixed a few UI inconsistencies with the username input. Also started disabling social buttons when terms were not accepted on sign up. See the [changelog entry](https://github.com/auth0/lock/blob/master/CHANGELOG.md#v10140-2017-03-27) for more information. https://auth0.com/changelog#24jn51hjOLblsPm3xxBL0L Thu, 16 Mar 2017 00:00:00 GMT Auth0.swift - Added scope support to the `renew` method. See the [changelog entry](https://github.com/auth0/Auth0.swift/blob/master/CHANGELOG.md#140-2017-03-16) for more information. https://auth0.com/changelog#1Ept09hs6IcN4YQxdu7Rvc Tue, 14 Mar 2017 00:00:00 GMT `user.last_password_reset` will now be set immediately when the user changes their password, instead of waiting for the next login. https://auth0.com/changelog#63VHFHoHiPoU1dpy3SQuOB Mon, 13 Mar 2017 00:00:00 GMT Fixed the error `Nonce does not match` when `state` option contains special characters. Also fixed popup authentication not being called with all the options. See the [changelog entry](https://github.com/auth0/auth0.js/blob/master/CHANGELOG.md#v840-2017-03-13) for more information. https://auth0.com/changelog#7fVCt4QiOr6OGPPKxUVu0C Mon, 13 Mar 2017 00:00:00 GMT Lock.swift - Added connection scope support for OAuth2 connections and added native authentication handler support. See the [changelog entry](https://github.com/auth0/Lock.swift/blob/master/CHANGELOG.md#210-2017-03-13) for more information. https://auth0.com/changelog#3QdsqvP6nIPWYh1ZzyReae Mon, 13 Mar 2017 00:00:00 GMT Auth0.swift - Added Connection Scopes to webAuth and creation of webAuth instances from authentication instances. See the [changelog entry](https://github.com/auth0/Auth0.swift/blob/master/CHANGELOG.md#130-2017-03-13) for more information. https://auth0.com/changelog#1x2T9bkfSlsLU0vNg0rugF Mon, 13 Mar 2017 00:00:00 GMT Added Evernote strategy. See the [changelog entry](https://github.com/auth0/lock/blob/master/CHANGELOG.md#v10130-2017-03-13) for more information. https://auth0.com/changelog#2zEKbRo2tiZWEGTJEqYcbC Mon, 13 Mar 2017 00:00:00 GMT Fixed an issue when parsing a url fragment and the `state` had special characters. Also fixed an issue with incorrect error messages. See the [changelog entry](https://github.com/auth0/lock/blob/master/CHANGELOG.md#v10130-2017-03-13) for more information. https://auth0.com/changelog#1Bg2PILcFmcdjf1T0okVo8 Fri, 10 Mar 2017 00:00:00 GMT - Added functionality to filter-as-you-type the tenant list in the tenant dropdown for tenant lists with more than 10 tenants in them.- Updated UI for the <app_metadata> and <user_metadata> properties, in the User Details section, to feature a full-featured editor with code folding.- Renamed the “Setup” button in SAMLP connections list to “Setup Instructions”.- Fixed a series of issues with dashboard invitees: - Prevent non-owners from entering the “create SSO Integrations” route. - Prevent non-owners from entering the Logs section. - Prevent non-owners from entering the account sub-sections (Admins, Payment, etc.). - Updated UI for Dashboard Admins to fix XSS vulnerability when deleting dashboard admins and relocated the row to add an admin to always be on top of the list to avoid scrolling in long lists.- Updated UI for User Details to account for long <name> and <username> properties by truncating them.- Added the possibility to save Sharepoint SSO Integrations <external URLs> as a comma-separated list to set multiple of them. https://auth0.com/changelog#4ygEjKWitbOd6kaOZtUkzi Wed, 08 Mar 2017 00:00:00 GMT Added support for `read:user` scope when using Github social connections https://auth0.com/changelog#5IDLA0wTW2KMtCUYmucC8H Mon, 06 Mar 2017 00:00:00 GMT Lock for Android Passwordless flow can now remember the identity of the last person who successfully signed in. See the [changelog entry](https://github.com/auth0/Lock.Android/blob/master/CHANGELOG.md#240-2017-03-06) for more information. https://auth0.com/changelog#3Z9CBBBLwUXUAAGcYrbpKN Fri, 03 Mar 2017 00:00:00 GMT Started sending `owp` param in popup mode. See the [changelog entry](https://github.com/auth0/lock/blob/master/CHANGELOG.md#v10122-2017-03-03) for more information. https://auth0.com/changelog#3oHkuqDO7Lzpws1ataQMEi Thu, 02 Mar 2017 00:00:00 GMT Added checkbox as a custom input type for the option `additionalSignUpFields`. See the [changelog entry](https://github.com/auth0/lock/blob/master/CHANGELOG.md#v10120-2017-03-02) for more information. https://auth0.com/changelog#30lJyxFFOmH4l57LBAQCJP Thu, 02 Mar 2017 00:00:00 GMT The Auth0.Android SDK adds the Management API's GET User Profile endpoint. See the [changelog entry](https://github.com/auth0/Auth0.Android/blob/master/CHANGELOG.md#160-2017-03-02) for more information. https://auth0.com/changelog#5gJQpmEhouExlFfrw5bjzM Thu, 02 Mar 2017 00:00:00 GMT Fixed a few UI issues. Started filtering parameters send to the /authorize endpoint. See the [changelog entry](https://github.com/auth0/lock/blob/master/CHANGELOG.md#v10120-2017-03-02) for more information. https://auth0.com/changelog#3GtY5uyrhXGxgjBBo6shbz Wed, 01 Mar 2017 00:00:00 GMT Added flag `_idTokenVerification` to disable `id_token` verification for legacy clients. See the [changelog entry](https://github.com/auth0/auth0.js/blob/master/CHANGELOG.md#v830-2017-03-01) for more information. https://auth0.com/changelog#7jOF9cBpfhifSnpffPt3bg Sat, 25 Feb 2017 00:00:00 GMT Updated the UI for the [API Explorer tab](https://manage.auth0.com/#/apis/management/explorer) to be able to configure the token expiration for the Management API. https://auth0.com/changelog#6ZV7r4UoAVYssLLJh8F7Zg Thu, 23 Feb 2017 00:00:00 GMT Rules will now run when calling `oauth/token` with `grant_type: password` or `grant_type: refresh_token`. For more information, check out [our documentation](https://auth0.com/docs/migrations#password-and-refresh-token-exchange-rules-migration-notice). https://auth0.com/changelog#2grhzfLAGKmZsm0pHghsZ4 Wed, 22 Feb 2017 00:00:00 GMT Guardian Authenticator for Android is now capable of scanning and managing any generic TOTP key. https://auth0.com/changelog#6yK1ShzEk9ZC2j1krnRwO2 Wed, 22 Feb 2017 00:00:00 GMT Added a new property <description> for Clients, a free-text field to describe the client’s purpose. https://auth0.com/changelog#5T6eRPCt0zoHhE76PE0L6H Thu, 16 Feb 2017 00:00:00 GMT Released new [Lock for iOS](https://github.com/auth0/Lock.swift) version written in Swift and [migration guide](https://github.com/auth0/Lock.swift/blob/master/MIGRATION.md) to help the transition. https://auth0.com/changelog#1uP3D8gNpzlCthFkpqeWFP Mon, 06 Feb 2017 00:00:00 GMT Auth0.swift - Added Native Authentication support and fixed support for OIDC conformant profiles. See the [changelog entry](https://github.com/auth0/Auth0.swift/blob/master/CHANGELOG.md#120-2017-02-06) for more information. https://auth0.com/changelog#yvl65jKqw4r2AmIsPrhau Mon, 30 Jan 2017 00:00:00 GMT Published new SDK for Java ([auth0-java](https://github.com/auth0/auth0-java)) that supports Authentication API OAuth 2.0 endpoints and most of the Management API entities. See the [changelog entry](https://github.com/auth0/auth0-java/blob/master/CHANGELOG.md#100-2017-01-30) for more information. https://auth0.com/changelog#4IMGDfh8hWnT6BOrwXPYDN Mon, 16 Jan 2017 00:00:00 GMT Added enhancements to SAML Single Logout to conform to the Single Logout Profile specification. With these enhancements, all SAML Service Providers you have configured for logout will be sent a `LogoutRequest` to the `logout.callback` URL you have configured in the SAML Add-on. If your Service Provider does not support Single Logout, you can set `logout.slo_enabled: false` in your SAML Add-on configuration. For more information, check out our [Logout documentation](https://auth0.com/docs/logout#saml-logout) and [SAML configuration documentation](https://auth0.com/docs/protocols/saml/saml-configuration#logout). https://auth0.com/changelog#1LvgsytzNl5xPC2wEic0aX Wed, 04 Jan 2017 00:00:00 GMT The Java-JWT SDK can now handle Array claims and return the Payload claims as a Map<String, Claim>. See the [changelog entry](https://github.com/auth0/java-jwt/blob/master/CHANGELOG.md#310-2017-01-04) for more information. https://auth0.com/changelog#5hCphzOLOLqQSWm2TZfZJL Tue, 03 Jan 2017 00:00:00 GMT Published [auth0.js v8](https://github.com/auth0/auth0.js/releases/tag/v8.0.0) and [migration guide](https://auth0.com/docs/libraries/auth0js/migration-guide) to help the transition. https://auth0.com/changelog#17f1Hzm81eCz8OVSppUpu5 Mon, 02 Jan 2017 00:00:00 GMT The Auth0.Android SDK adds a flag to decide if the API calls should be made using Open ID Connect conformant or Legacy endpoints. See the [changelog entry](https://github.com/auth0/Auth0.Android/blob/master/CHANGELOG.md#140-2017-01-02) for more information. https://auth0.com/changelog#6kIpGwbUIoxoEpxmnQs0an Mon, 02 Jan 2017 00:00:00 GMT Lock for Android now supports the use of custom URL schemes for Web Authentication. The Implicit Grant has been deprecated. See the [changelog entry](https://github.com/auth0/Lock.Android/blob/master/CHANGELOG.md#230-2017-01-02) for more information. https://auth0.com/changelog#6sFIAw92LzgjmwGsNbN7j2 Mon, 26 Dec 2016 00:00:00 GMT Consolidated brute-force detection into a single Shield. https://auth0.com/changelog#2hdJapu2VDbbQ8HZL8vORZ Fri, 16 Dec 2016 00:00:00 GMT Auth0.swift - Added support for `password-realm.grant_types` and `refresh_token.grant_types`. Additional smaller changes have been made to support OIDC. See the [changelog entry](https://github.com/auth0/Auth0.swift/blob/master/CHANGELOG.md#110-2016-12-16) for more information. https://auth0.com/changelog#56Ojb44IQPGefGl4Hdx4zT Mon, 12 Dec 2016 00:00:00 GMT The Auth0.Android SDK now supports sending audience value on Web Authentication. See the [changelog entry](https://github.com/auth0/Auth0.Android/blob/master/CHANGELOG.md#130-2016-12-12) for more information. https://auth0.com/changelog#5wXK1SXhNrsLLLKycjyxot Mon, 05 Dec 2016 00:00:00 GMT Published new Java SDK ([java-jwt](https://github.com/auth0/java-jwt)) for Json Web Tokens verification and signing. Supports HMAC, RSA and ECDSA algorithms. See the [changelog entry](https://github.com/auth0/java-jwt/blob/master/CHANGELOG.md#300-2016-12-05) for more information. https://auth0.com/changelog#3qdBLmJlyEoscNMOdk9owA Fri, 02 Dec 2016 00:00:00 GMT Added client flag to disable SSO (`sso_disabled`) which can be set using the Management API. When this flag is set to `true`, an Auth0 session will not be created for any authentication using that client. https://auth0.com/changelog#58vzTCYqbDRMXXPB8D0tt4 Fri, 02 Dec 2016 00:00:00 GMT It is now possible to pre-enroll users into Guardian via an enrollment email. See [here](https://auth0.com/docs/multifactor-authentication/administrator/guardian-enrollment-email) for more information. https://auth0.com/changelog#4oCMfFgpgxTLZAZjyKQRSf Thu, 01 Dec 2016 00:00:00 GMT Upgraded Auth0 hosted login page to Lock 10.7. https://auth0.com/changelog#19uyqbTn32jzx5eEiH3aTA Thu, 01 Dec 2016 00:00:00 GMT Added `expires_in` to oauth/token endpoint https://auth0.com/changelog#7gwjvtgcH4SvLosTA7qCNK Wed, 30 Nov 2016 00:00:00 GMT The Auth0.Android SDK prepares to conform with Open ID Connect and adds the /userinfo and /oauth/token endpoints. Multiple response_type values are supported as well. See the [changelog entry](https://github.com/auth0/Auth0.Android/blob/master/CHANGELOG.md#120-2016-11-30) for more information. https://auth0.com/changelog#3Rr4G1fOLT7HbOAfWTmH2N Fri, 25 Nov 2016 00:00:00 GMT Published new mobile SDKs for iOS ([Guardian.swift](https://github.com/auth0/Guardian.swift)) and Android ([Guardian.Android](https://github.com/auth0/Guardian.Android)) to make it simple to build custom Guardian mobile applications. https://auth0.com/changelog#31DkhC1sqqAtVJ7D3RI6gg Mon, 21 Nov 2016 00:00:00 GMT Lock for Android now allows to specify a custom Scope. See the [changelog entry](https://github.com/auth0/Lock.Android/blob/master/CHANGELOG.md#220-2016-11-21) for more information. https://auth0.com/changelog#7nOvbGELOGSXR4hqS4yRyC Fri, 18 Nov 2016 00:00:00 GMT nonce parameter is now mandatory if you are using implicit grant flow https://auth0.com/changelog#3GXyUQoW9RqIdN3kZodJiO Wed, 02 Nov 2016 00:00:00 GMT Released new version of Lock for Web with several bugfixes and improvements including support for custom OAuth2 connections. See [Lock's changelog](https://github.com/auth0/lock/blob/master/CHANGELOG.md) for more information. https://auth0.com/changelog#6TC3i2wfXg7XLhdZe24TJb Mon, 31 Oct 2016 00:00:00 GMT Release of the UI-less client libraries for Guardian, allowing users to build custom Guardian widgets. See the library [here](https://github.com/auth0/auth0-guardian.js) for more information https://auth0.com/changelog#pKRGNsgWFC0m48cTAIpqj Wed, 26 Oct 2016 00:00:00 GMT Double quotes in assertions caused invalid SAML signature. https://auth0.com/changelog#3ovL86b9QsLWW3pWvEAjID Wed, 26 Oct 2016 00:00:00 GMT Added new Tenant settings for: - `default_audience` - Specifies the audience that clients will receive as a default if one isn't explicitly requested- `default_directory` - Specifies a default directory connection to use when using `password grant` flow https://auth0.com/changelog#Rb1ISvdmcLKkVXYDZ0sfH Tue, 25 Oct 2016 00:00:00 GMT Published new Android focused SDK ([JWTDecode.Android](https://github.com/auth0/JWTDecode.Android)) for decoding Json Web Tokens (JWT). See the [changelog entry](https://github.com/auth0/JWTDecode.Android/blob/master/CHANGELOG.md#100-2016-10-25) for more information. https://auth0.com/changelog#64aLCYqeTH6YiQTQBwo5J5 Mon, 24 Oct 2016 00:00:00 GMT Lock for Android now uses Browser instead of WebView by default for authentication. See the [changelog entry](https://github.com/auth0/Lock.Android/blob/master/CHANGELOG.md#210-2016-10-24) for more information. https://auth0.com/changelog#2XgSQJ3D2ULN4Bq9P3ufbA Mon, 24 Oct 2016 00:00:00 GMT Verification email does not display given_name attribute for custom DB. https://auth0.com/changelog#6RV78uXnkIo8CEEbX81B8C Sat, 15 Oct 2016 00:00:00 GMT Added paging to Database Connctions page to support large volume of connections https://auth0.com/changelog#7EKHUUeutKg8AcHKD6pqm6 Thu, 06 Oct 2016 00:00:00 GMT Published new mobile SDKs for iOS ([Auth0.swift](https://github.com/auth0/Auth0.swift)) and Android ([Auth0.Android](https://github.com/auth0/Auth0.Android)) to make it simple to build custom login screens using Auth0. https://auth0.com/changelog#5qtcf0rNLcanQ5QAtiHwTX Wed, 05 Oct 2016 00:00:00 GMT Auth0 Guardian now allows users to choose to 'remember this browser' and not be prompted for MFA for 30 days from a known system. https://auth0.com/changelog#4QRMmRWZb464ZHpOylk8TX Wed, 05 Oct 2016 00:00:00 GMT It is now possible to disable automatic SMS and email notifications during Passwordless user creation. See the [docs](https://auth0.com/docs/api/management/v2#!/Users/post_users) for more information. https://auth0.com/changelog#7vYKVLKnSRl46EAJh3WR64 Mon, 26 Sep 2016 00:00:00 GMT When a user hits the rate limit for the `delegation` endpoint, log entries will now be visible in the tenant logs. https://auth0.com/changelog#6y5MWDLiUabHgtRQqpGUan Thu, 22 Sep 2016 00:00:00 GMT SSO Session Timeout can be customized in Tenant Settings > Advanced. This allows you to specify how long the SSO Cookie is valid. https://auth0.com/changelog#3S846eirFpC5pcZ5WGLsTM Wed, 21 Sep 2016 00:00:00 GMT Released new major version of Lock for Android with redesigned UI and new features like custom OAuth2 connections support, password policy, etc. See the [docs](https://auth0.com/docs/libraries/lock-android) for more information. https://auth0.com/changelog#6HhYeiyZUGilqDsUUM8zam Wed, 21 Sep 2016 00:00:00 GMT Fixed error when custom DB scripts are set to `null` https://auth0.com/changelog#4ek6qQFq7SGUo5at0p36i8 Wed, 21 Sep 2016 00:00:00 GMT You can now opt-in to preview the new OAuth2aaS pipeline in Account Settings > Advanced. This enables support for Advanced API Authorization scenarios including user consent. https://auth0.com/changelog#5j2r5cb5PSnwEoV8pyBV9T Mon, 19 Sep 2016 00:00:00 GMT Database Connections now allow customizing the minimum and maximum length for usernames, up to 128 characters. This only applies if `Require Username` is on.  https://auth0.com/changelog#5dc2z2zOPeBJTrdFv1f6rI Tue, 13 Sep 2016 00:00:00 GMT Renamed the Delete All Users endpoint from `DELETE /api/v2/users` to `DELETE /api/v2/allusers` to avoid accidental deletion of users. https://auth0.com/changelog#6A9lfSu8KhDbHOMykCBZuX Wed, 07 Sep 2016 00:00:00 GMT Add `oid` claim to Azure AD user profiles https://auth0.com/changelog#38L3n6MarI9UHNxzWIfpgt Mon, 05 Sep 2016 00:00:00 GMT Update response from Device Credentials endpoint to include `type` and `user_id`. https://auth0.com/changelog#5slrMBajjHMr7zDgP0Sbhi Fri, 02 Sep 2016 00:00:00 GMT SAML Response is now displayed in Tenant Logs when Debug Mode is enabled in the SAML Connection. https://auth0.com/changelog#1KOTwD1kMQGWMy0vI6wzyB Mon, 29 Aug 2016 00:00:00 GMT Added the ability to regenerate Guardian recovery codes. Please visit our [documentation](https://auth0.com/docs/api/management/v2#!/Users/post_recovery_code_regeneration) for details. https://auth0.com/changelog#37IU9UtC4MZB4YVYqtoJUo Thu, 25 Aug 2016 00:00:00 GMT Auth0 Guardian is now officially released -- a new and convenient way to perform multifactor authentication for logins. Guardian features 'push-notifications' as well as other standard authentication flows. See our full announcement [here](https://auth0.com/blog/announcing-Auth0-Guardian-a-new-way-to-login). https://auth0.com/changelog#1cOlGOuMUtZylxUWFWARjW Wed, 24 Aug 2016 00:00:00 GMT Added ability to specify Client Logo on the client API https://auth0.com/changelog#7y67FPjaq7s7ofSSCVRX7g Wed, 24 Aug 2016 00:00:00 GMT Releasing password breach detection, which protects Auth0 users in case their password is leaked via a breach at a different provider. Auth0 monitors announcments of breaches from other providers, and checks Auth0 users against the list of leaked accounts. In case of a match, the user will be prevented from logging in until their password is reset. https://auth0.com/changelog#1040yUgFOM0LE4gb6JDUwD Wed, 17 Aug 2016 00:00:00 GMT Guardian template is now customizable via the Hosted Pages section. https://auth0.com/changelog#3ZsbI2OiYBksWluO3NXOoG Tue, 09 Aug 2016 00:00:00 GMT Fixed issue with Account Un-Linking where the secondary account would not show up in the Users list after being Un-Liked. Now, when Un-Linking two linked accounts, the secondary account will be restored and visible in Users. https://auth0.com/changelog#3myYMrcWWMlKuAPawKGAGQ Fri, 05 Aug 2016 00:00:00 GMT Bulk Import API has been upgraded with the following changes: - Added option to specify if the operation should should insert or upsert - Added `external_id` parameter. The value is user defined and is returned with Job status; can be used for correlating multiple jobs. - Job Status shows summary totals of successful/failed/inserted/updated - Added ability to retrieve failed entries via API call to `GET /api/v2/jobs/{id}/errors` - Job Status is added to Tenant Logs which allows a custom WebHook to be trigged using the WebHook Logs Extension https://auth0.com/changelog#3jY0IA8EC2Kth4N2aE0cd0 Fri, 05 Aug 2016 00:00:00 GMT The API now has the ability to manage Guardian configuration. Please visit our [documentation](https://auth0.com/docs/api/management/v2#!/Guardian/) for full details. https://auth0.com/changelog#4d7KuTgMnjMbhbc5CvRIqM Mon, 01 Aug 2016 00:00:00 GMT The Bitbucket Deployments extension allows you to deploy rules and database connection scripts from Bitbucket to Auth0. You can configure a Bitbucket repository, keep all your rules and database connection scripts there, and have them automatically deployed to Auth0 each time you push to your repository.  https://auth0.com/changelog#2r7GOYk0mS1TCL7KM0ttYI Fri, 22 Jul 2016 00:00:00 GMT The `/authorize` endpoint now supports `response_mode=form_post` when the response_type is either `id_token` or `code token`. For example: `/authorize?response_mode=form_post&client_id=…&redirect_uri=…&response_type=id_token` https://auth0.com/changelog#9UwTbb4SDGOi543pGKFlx Fri, 15 Jul 2016 00:00:00 GMT Auth0 now supports full Client Credentials flow for API Authorizations. This allows server to server authorization for things like scripts, backend services, daemons, or any app that does not need to operate as a user. Enabling the API section can be done via Account Settings or by adding a new **Non Interactive** Client. The **Application** section in the Auth0 Dashboard has been renamed to **Clients** to clarify the distinction between APIs and Clients. This is the first step we are taking towards more complex API authorization scenarios. Other flows, such as User Consent, will be added in the near future. Please visit our full [documentation](https://auth0.com/docs/api-auth) for detailed information about API Authorization. https://auth0.com/changelog#1sDThFzNwhAUKvf3qJF9c7 Fri, 15 Jul 2016 00:00:00 GMT Added ability to change Email for users in Passwordless connections. https://auth0.com/changelog#5Pc77EYigYDWDgzNzaMGj0 Fri, 15 Jul 2016 00:00:00 GMT Added password policy support for Password Dictionary and Password Personal Data. **Password Dictionary**, when enabled, prevents the use of common passwords and allows for setting a custom dictionary with up to 200 entries. **Password Personal Data**, when enabled, prevents using personal data in the password, such as the user's name, parts of the email address, etc... https://auth0.com/changelog#6wy0yLTv3LZAsffFd6Y7eK Thu, 14 Jul 2016 00:00:00 GMT Added support for Twillio Copilot in Passwordless Connections. https://auth0.com/changelog#1Eplf90aeFfgOX7gDRAW0P Tue, 12 Jul 2016 00:00:00 GMT Support for Fitbit OAuth2 apps. Added an upgrade mechanism for OAuth1 (deprecated) connections. https://auth0.com/changelog#5ZgfWmZXyPfoAeldX0mySh Sat, 02 Jul 2016 00:00:00 GMT If a user requests multiple passwordless links/codes, emails may not arrive or be displayed in the correct order. Up till now, only the last code issued was valid, causing issues when opening the wrong email. This change allows the last 5 codes sent to be valid, but once one is used, the rest are invalidated. https://auth0.com/changelog#4ZjI9JF1L1Zwrfa9r8HN1 Wed, 29 Jun 2016 00:00:00 GMT The GitHub Deployments extension allows you to deploy rules and database connection scripts from GitHub to Auth0. You can configure a GitHub repository, keep all your rules and database connection scripts there, and have them automatically deployed to Auth0 each time you push to your repository.  https://auth0.com/changelog#7FYl9jskNepvpvCLkQF6Sy Tue, 21 Jun 2016 00:00:00 GMT Added Password History support to Database Connections' password policies. https://auth0.com/changelog#5n16ZP6ir1RoJWnNkdjeAv Sat, 28 May 2016 00:00:00 GMT Added support for the new Firebase SDK v3. https://auth0.com/changelog#3QMPOVmhNXDHoC68QcFTnc Wed, 25 May 2016 00:00:00 GMT Introduced a new tenant settings flag `enable_client_connections` that will allow customers to switch between 2 flows when creating clients (Applications): - When creating a new client, create and enable existing connections (current flow, default) - When creating a new client, create but don't enable my existing connections (new flow) This setting can be turned off in Account Settings > Advanced > Settings > Enable Client Connections or via the API using the `GET /api/v2/tenants/settings` endpoint. https://auth0.com/changelog#6sXlrKXAS01nxLHecR2KRz Mon, 16 May 2016 00:00:00 GMT Extensions gallery now supports documentation. From now on, you will be able to check documetion before and after installing an extension.   https://auth0.com/changelog#1WbcIZVN2Mv6tJ9siv7Oaj Thu, 12 May 2016 00:00:00 GMT Provided access to the language in passwordless email templates https://auth0.com/changelog#3BH6RxedtOob3zGOwGnsz3 Thu, 12 May 2016 00:00:00 GMT Added support for **Bitbucket** and **Dropbox** social connections. If you are using **Lock**, please upgrade to **v9.2.0**. https://auth0.com/changelog#3DfSn5JkSVSJxEw0IjIt4b Tue, 10 May 2016 00:00:00 GMT Remove support for JSONP on the `/ssodata` endpoint. The *"Last time you logged in with"* feature will no longer be supported on IE 9. https://auth0.com/changelog#24UAugVThEV9x2iUluT9X2 Mon, 09 May 2016 00:00:00 GMT Integrate Rules Debugging with Real-time Logs extension  https://auth0.com/changelog#4k3kfOarWqtXxxrKpyFFW8 Sun, 08 May 2016 00:00:00 GMT We shipped 7 new logging extensions. You can now export Auth0 logs to one of the following external systems: - Auth0 Logs to Papertrail- Auth0 Logs to Sumologic- Auth0 Logs to Splunk- Auth0 Logs to Logstash- Auth0 Logs to Mixpanel- Auth0 Logs to Logentries Export operation executes at configurable intervals to ensure you always have access to recent logs.  https://auth0.com/changelog#7e8Mf4pNBGyzT7KEJE2W7Y Mon, 02 May 2016 00:00:00 GMT New Extension: Real-time Webtask Logs This extension gives you the possibility to access to Webtask Logs in real-time.   https://auth0.com/changelog#3Lf458RFGf7PiVRy9Qnqld Fri, 22 Apr 2016 00:00:00 GMT Added logout `returnTo` URL validation. If the `returnTo` URL is not in the Allowed Logout URLs list, the request will be rejected. See the [docs](https://auth0.com/docs/logout#setting-allowed-logout-urls-at-the-account-level) for more information. https://auth0.com/changelog#2yerGMjswxEk8W5uBThxxp Fri, 08 Apr 2016 00:00:00 GMT New Extension: Authorization Dashboard This extension gives you the possibility to manage group memberships for your users. ##### Group Management Allows you to create groups with a name and a description. Users can be added and removed from groups. This can happen by opening the group and managing users from there, or by opening the user and manage the user's group memberships from there.  ##### User Management Besides managing everything from the group point of view you can also open a user and manage his/her group memberships there but also see the "calculated" group memberships for that user.  ##### Application Access In Auth0 the application access is very coarse grained. All users in a connection that is enabled for the application are able to access the application. With this extension you are now able to take this a step further. You are able to define that only groups "Fabrikam Management" and "Fabrikam Finance" are able to access the "Reporting App" containing reports about the company's financials.  https://auth0.com/changelog#1oxo1pHWCRtArJ217CM2eB Thu, 07 Apr 2016 00:00:00 GMT Added a new property on the **client** entity to allow users to specify how the client is going to perform authentication with the token endpoint. Values are `none`, `client_secret_post` and `client_secret_basic`. The `none` option is introduced for native applications which can’t store secrets and use **PKCE** (see [https://tools.ietf.org/html/rfc7636](https://tools.ietf.org/html/rfc7636)) https://auth0.com/changelog#7cN3vI0Tu0OvP2g5qLT8o5 Wed, 06 Apr 2016 00:00:00 GMT Suppressed the error message in the change password flow in order to prevent user enumeration within the message. The API now returns HTTP 200. https://auth0.com/changelog#6nahr8swxKUGFPpqRML0Ax Wed, 06 Apr 2016 00:00:00 GMT We included an extra validation in the `/tokeninfo` endpoint to verify that the account name in the URL matches the account for which the token was issued. Any call to the tokeninfo with a token from another account will return Unauthorized. https://auth0.com/changelog#1lvXf203Fn85plbbf4TaEK Tue, 05 Apr 2016 00:00:00 GMT We deprecated the `current_user_device_credentials` scopes in the `/api/v2/device-credentials` endpoint for `POST` and `DELETE` methods. To use this endpoint we enabled **Basic authentication** with username and password from a database connection. https://auth0.com/changelog#1qL64jGfnLpUMkavRaUoJ7 Tue, 15 Mar 2016 00:00:00 GMT Added new `ext_nested_groups` option to `waad` connection strategy. When both `ext_groups` and `ext_nested_groups` are enabled we return all the groups that the user is a member of instead of only returning the ones that the user is direct member (for more information see this [MSDN article](https://msdn.microsoft.com/Library/Azure/Ad/Graph/api/users-operations#UserFunctions)) https://auth0.com/changelog#2FMkbF447VuaYj1M1mbMSY Tue, 15 Mar 2016 00:00:00 GMT Users can now specify a list of URLs that are valid to redirect to after logging out from Auth0. The update can be done either from the [Dashboard](https://manage.auth0.com/#/account/advanced) or using the [Management API](https://auth0.com/docs/api/v2#!/Tenants/patch_settings). https://auth0.com/changelog#1A9GOFNkmOOb1ApYKbHj6b Mon, 14 Mar 2016 00:00:00 GMT The `device-credentials` endpoint now supports basic authentication to perform `GET`, `POST`, and `DELETE` requests. https://auth0.com/changelog#4g1VSIfJf6nWTc81XCRTg8 Fri, 11 Mar 2016 00:00:00 GMT Extensions Gallery updated! This new version allows you to create your own extensions.  https://auth0.com/changelog#5Cg5Ua5FEckWRdaK7NjRfv Tue, 01 Mar 2016 00:00:00 GMT The flow to reset a password has been updated. In this new flow, users enter their username or email address and receive an email with instructions to choose a new password. The old flow which required users to enter their new password and then confirm the change via email is still available but has been deprecated: it is no longer available for new tenants and existing tenants are recommended to disable it. https://auth0.com/changelog#3b1qlOUhIyMW0ww0cKYAk8 Tue, 01 Mar 2016 00:00:00 GMT The flow to reset a password has been updated. In this new flow, users enter their username or email address and receive an email with instructions to choose a new password. The old flow which required users to enter their new password and then confirm the change via email is still available but has been deprecated: it is no longer available for new tenants and existing tenants are recommended to disable it. https://auth0.com/changelog#6YBtYVQ9kfQzaLv4FmOMuW Mon, 29 Feb 2016 00:00:00 GMT Extensions Gallery updated. This new version gives users the possibility to search for an extension, easily check which ones are installed and access to more information about an extension before installing it. Also, includes new extensions such as `Auth0 logs to Loggly`, `Auth0 logs to Azure blob storage`, `Auth0 logs to Application Insights`, `Auth0 AD/LDAP Connector Health Monitor` and `Auth0 Authentication API webhooks`  https://auth0.com/changelog#xEqyjgb1Mz9512Tqt89UV Fri, 26 Feb 2016 00:00:00 GMT Users can query logs using the **Management API v2**. You can use the new `logs` endpoints to query logs. This is the new recommended way to query logs. The **API v1** logs endpoints will still be functional. See more info in the [docs](https://auth0.com/docs/api/v2#!/Logs/get_logs). https://auth0.com/changelog#32IpKaSUdYEnIEAiOBXS1c Sat, 21 Nov 2015 00:00:00 GMT The Auth0.Android SDK has deprecated the usage of the WebView for authentication. All web authentication should be done using the Browser. See the [changelog entry](https://github.com/auth0/Auth0.Android/blob/master/CHANGELOG.md#111-2015-11-21) for more information. https://auth0.com/changelog#3Lypw1nw4jKbasrnypsBTm