General Usage and Operations Best Practices
Here are some recommended best practices for general Auth0 usage and operation.
Capture log files
Auth0 keeps tenant logs for a limited amount of time. To get log data and store it elsewhere, you can use the Management API, stream the logs to an external service, or one of the available extensions for services such as Loggly or Splunk.
Set up your own email provider and customize email templates
Auth0 provides a test email provider so you can test default welcome and email verification messages during tenant configuration. The test provider can only send a limited amount of emails, so you should configure your own mail server. Additionally, we recommend a unique email provider account per tenant. Sharing an email account between tenants can be a potential source of problems or outages for one tenant when making changes to the service intended for another.
Also, make sure to configure and customize the templates for emails sent from Auth0. These include email verification messages, welcome messages, password reset messages, et cetera. For custom templates, provide a "from” address, a clear subject, your custom content, and a link timeout for emails with a link (such as a password reset link).
Subscribe to updates on the Auth0 status page
Head over to the Auth0 status page and sign up for notifications. If there are any Auth0 outages, you or your support staff will be notified.
Store custom code in a source code repository
If you have custom code for rules, hooks, custom database scripts, or webtasks, store it in a source code repository such as Github for version and audit control. Auth0 has extensions to help deploy code stored on external repositories.
If you have a full continuous integration/continuous deployment pipeline, use the Auth0 Deploy CLI tool for greater flexibility.
Store configuration values in Dashboard
If your rules, hooks, custom database scripts, or webtasks require configuration values (such as credentials or API keys), you should store them in the Auth0 dashboard. Storing configuration values in the Dashboard makes migrating configuration between tenants easier.
Add Auth0 public IP addresses to allow list
If your rules, hooks, custom database scripts, or webtasks call a service in your intranet or behind another firewall, be sure to add the Auth0 public IP addresses to the allow list. This lets requests from those IP addresses through. You can find the IP addresses for each region in your Auth0 Dashboard, where you edit rules, hooks, or custom database scripts.
Run tenant configuration checks
The Auth0 Support Center provides a configuration checker tool. Run the configuration checker periodically during development and again before you launch.
To run the configuration check, go to Auth0 Support Center > Tenants and select the gear icon and choose Run Production Check.
Avoid pinning or fingerprinting TLS certificates for Auth0 endpoints
Avoid pinning or fingerprinting TLS certificates used on Auth0 endpoints. Certificates presented on Auth0 endpoints are issued for varying expiry timeframes. These certificates are renewed with different intermediate certificate authorities and root certificate authorities. Any sort of pinning or fingerprinting should be avoided since any aspect of the certificate chain can be changed at any time. Pinning and fingerprinting any certificates in the chain and using this uniquely identifying information can lead to unexpected behaviors within your applications or services.