Migrating to Lock v11

Lock v11 operates with enhanced security and removes dependencies that have been deprecated as per Auth0's roadmap. In some cases, these security enhancements may impact application behavior when upgrading from an earlier version of Lock.

Should I migrate to v11?

Everyone should migrate to v11. All previous versions are deprecated as of April 1, 2018, and will at some point cease to work after this date. For clients who use Lock within an Auth0 login page, this migration is recommended; for client applications with Lock embedded within them, this migration is mandatory.

Migration instructions

The documents below describe all the changes that you should be aware of when migrating from different versions of Lock. Make sure you go through the relevant guide(s) before upgrading.

Migrating from the lock-passwordless widget

Migrating from Lock v10

Migrating from Lock v10 in Angular 1.x Applications

Migrating from Lock v10 in Angular 2+ Applications

Migrating from Lock v10 in React Applications

Migrating from Lock v9

Migrating from Lock v9 in Angular 1.x Applications

Migrating from Lock v8

Migrating from Lock v8 in Angular 1.x Applications

If you have any questions or concerns, you can discuss them in the Auth0 Community, submit them using the Support Center, or directly through your account representative, if applicable.

Disabling legacy Lock API

After you update to Lock v11 and/or Auth0.js v9, it is advised that you turn off the Legacy Lock API toggle in the Dashboard. This will make your Auth0 tenant behave as if the legacy API is no longer available. Starting on April 1, 2018, this option will be forcibly disabled, so it is recommended you opt-in before that time to verify that your configuration will work correctly.

You can find the setting in the Advanced section of Tenant Settings.

Allowed Web Origins


If Lock takes a lot of time to display the login options, it could be because the Allowed Web Origins property is not correctly set.

To verify that this is a problem check your logs at Dashboard > Logs. If you see an entry with the following error description, set the Allowed Web Origins property and try again.

The specified redirect_uri 'https://YOUR_APP_URL' does not have a registered domain.
Was this article helpful?