General Usage and Operations Best Practices

Here are some recommended best practices for general Auth0 usage and operation.

Capture log files

Auth0 keeps tenant logs for a limited amount of time. (To learn more, read Logs.) To get log data and store it elsewhere, you can use the Auth0 Management API's Search log events endpoint, stream the logs to an external service, or export log events using one of the available extensions for services such as Loggly or Splunk.

Set up your own email provider and customize email templates

Auth0 provides a test email provider, so you can test default welcome and email verification messages during tenant configuration. To learn more, read Email. The test provider can only send a limited amount of emails, so you should configure your own mail server. Additionally, we recommend a unique email provider account per tenant. Sharing an email account between tenants can be a potential source of problems or outages for one tenant when making changes to the service intended for another.

Also, make sure to configure and customize the templates for emails sent from Auth0. These include email verification messages, welcome messages, password reset messages, et cetera. For custom templates, provide a "from" address, a clear subject, your custom content, and a link timeout for emails with a link (such as a password reset link).

Avoid pinning or fingerprinting TLS certificates for Auth0 endpoints

Auth0 does not support pinning or fingerprinting TLS certificates for Auth0 API endpoints. Doing so can lead to outages and unexpected behaviors within your applications or services.

Certificates presented on Auth0 endpoints are issued for varying expiry timeframes. These certificates are renewed with different intermediate certificate authorities and root certificate authorities. Any sort of pinning or fingerprinting should be avoided since any aspect of the certificate chain can be changed at any time.

Subscribe to updates on the Auth0 status page

Sign up for notifications at the Auth0 status page. If there are any Auth0 outages, you or your support staff will be notified.

Store custom code in a source code repository

If you have a full continuous integration/continuous deployment pipeline, use the Auth0 Deploy CLI tool for greater flexibility. To learn more, read Deploy CLI Tool.

Please note that the auth0-deploy-cli tool is updated regularly to provide feature enhancements, security improvements, and bug fixes. Before you upgrade to a newer version, review the release notes and update your configuration files accordingly.

Store configuration values in Dashboard

If your Actions, Rules, Hooks, custom database scripts, or Webtasks require configuration values (such as credentials or API keys), you should store them in the Auth0 Dashboard. Storing configuration values in the Dashboard makes migrating configuration between tenants easier. To learn more, read Set Up Multiple Environments.

Add Auth0 public IP addresses to AllowList

If your Actions, Rules, Hooks, custom database scripts, or Webtasks call a service in your intranet or behind another firewall, be sure to add the Auth0 public IP addresses to the AllowList. This lets requests from those IP addresses through. You can find the IP addresses for each region in your Auth0 Dashboard, where you edit rules, hooks, or custom database scripts.

Run tenant configuration checks

The Auth0 Support Center provides a configuration checker tool. Run the configuration checker periodically during development and again before you launch.

To run the configuration check, go to Auth0 Support Center > Tenants, select the gear icon, and choose Run Production Check.

ASN Binding optimization

An Autonomous System Number (ASN) is a unique identifier assigned to an Autonomous System comprising IP networks and routing devices under the control of an Administrative Domain (AD) owned by a Service Provider. ASN binding for Dashboard users is enabled by default and is not configurable.

If you are experiencing redirect loops or are frequently being prompted to enter your password while accessing Teams or Auth0 Dashboard, see the following best practices to help mitigate potential issues:

  • Connecting and disconnecting to either a corporate or commercial VPN could mean your IP and ASN are changing. Verify that when connected to the VPN, the public IP that is used to access the Internet does not change for the duration your VPN connection is on.

  • If using a VPN, verify the VPN connection is stable; random disconnects and connects as a result of network stability might represent frequent changes to your Public IP and ASN.

  • Some corporate networks might utilize network or firewall load-balancers to prevent internet outages associated with relying on a single Internet Service Provider. Verify that your Public IP is not frequently changing while accessing Teams or Auth0 Dashboard. Try using another network to test that you can successfully log in.