Authenticate
Manage Users
Customize
Auth0 AI
PlatformWhen you request an export of password hashes or MFA secrets from your Auth0 tenant, the data is encrypted end-to-end with Pretty Good Privacy (PGP) before it leaves Auth0 systems. Only you, as the holder of the matching private key, can decrypt the exported data. This page covers the full process, from submitting your request to decrypting the export file.Documentation Index
Fetch the complete documentation index at: https://auth0.com/llms.txt
Use this file to discover all available pages before exploring further.
Prerequisites
Before you submit a request, generate a PGP key pair that meets the following requirements:| Requirement | Value |
|---|---|
| Key length | 4096 bits or greater |
| Encryption subkey | The key must include at least one RSA 4096-bit encryption subkey. Auth0 uses this subkey to encrypt your export. Other subkeys may use different parameters; only one needs to meet this requirement. |
| Passphrase | Strong and unique. A randomly generated passphrase is recommended. |
| Expiration | Set an expiration date at least 7 days after the date of generation. To reuse the same key for repeat export requests, adjust the expiration accordingly. |
Generate your PGP key pair
This section uses GnuPG (gpg), the standard command-line tool for OpenPGP. For other tools or advanced options, see the GnuPG manual.
Install GnuPG
- macOS
- Linux
- Windows
Generate the key
Run the key generation command:| Prompt | Value |
|---|---|
| Please select what kind of key you want | 1 (RSA and RSA) |
| What keysize do you want | 4096 |
| Key is valid for | A duration matching the Expiration requirement above (at least 7 days) |
| Real name / email | Your name and the exact email address registered for your tenant administrator account. Aliases or different capitalization may cause validation to fail. |
| Comment | Optional non-sensitive label that helps you identify this key later (for example, “Auth0 export key”). |
| Passphrase | A strong, randomly generated passphrase. |
Recent versions of GnuPG default to ECC at the first prompt. You must explicitly select
1 (RSA and RSA). ECC and EDDSA keys are not supported by Auth0’s export validation.Export your public key
After the key is generated, find its key ID and export the public key. Always reference the key by its key ID (not by email).gpg returns the first key matching the identifier you pass, so an email lookup can grab the wrong key if you generated more than one with the same address.
List your keys:
pub line followed by the 16-character key ID:
YOUR_KEY_ID with the alphanumeric string shown under your pub line (for example, ABC123451E45G39A). The output file contains the full key block, including the armor headers:
Do not export or share your private key. Auth0 only needs your public key to encrypt the file.
Request process
Submit a support request
Open a support case requesting a password hash or MFA secrets export. Include the following in your request:
- The specific tenant name.
- Your PGP public key (the full ASCII-armored block from the previous section).
Wait for eligibility review
Auth0 reviews your request to determine eligibility. Not all requests qualify for an export.Auth0 does not provide ETAs for eligible exports because fulfillment depends on resource and access availability. If you have a required date, note it in your request.
Provide the required documentation
If your request is approved, Auth0 sends a requirements message asking for the following:
- Your authorization: a written acknowledgment that you approve the export from the tenant(s) in your request.
- An additional tenant admin confirmation: at least one other tenant administrator will be CC’d on the support case and must confirm the request. If you are the sole tenant administrator of a tenant, this step will be skipped.
- A signed acknowledgment form: the Hashed Password and MFA Secret Export Acknowledgment form must be signed by a CISO, CSO, or executive-level representative (VP or above) in your organization. Typed names are not accepted; a physical or digital signature is required. Upload the completed form to the support case.
If any of the above is missing or incomplete, your request may not be processed.
Wait for export preparation
After Auth0 receives all required documentation, we encrypt and export your tenant data with the PGP public key you provided.
Receive your secure download link
You receive an email containing a secure download link. The link:
- Requires authentication as the user account that opened the support case. Other tenant administrators cannot download the file from this link.
- Requires that user to still hold the tenant administrator role at the time of download. If they lose the role, the download is blocked and a new request must be submitted.
- Expires after 3 days. Download the file before it expires. After expiration, you must submit a new request.
Security reminders
- Never share your private key or passphrase with anyone, including Auth0 or Okta support staff. Auth0 never asks for them.
- Back up your private key and passphrase securely on an offline device. If lost, you cannot decrypt your export and must submit a new request.
- Do not share the download link. Although the download requires the case creator to authenticate with an active tenant administrator role, treat the link as confidential.