Deprecations and Migrations

We are actively migrating customers to new behaviors for all deprecations listed below. Please review these carefully to ensure you've taken any necessary steps to avoid service disruption. You can also search tenant logs for any errors caused by using deprecated features. To learn more, read Search Logs for Deprecation Errors.

If you have any questions, visit the Community or create a ticket in our Support Center. To learn more, you can also read Migration Process.

Deprecated: June 18, 2025

End of life: September 16, 2025

The service will restrict access to additional property names within the event.request.query and event.request.body objects when executing actions for the post-login and credentials-exchange triggers. Only tenants identified as using actions that may reference request properties planned for restriction will maintain access until September 16, 2025.

The service will restrict the following property names in the request-related objects:

• auth_session

• authn_response

• client_secret

• client_assertion

• refresh_token

Deprecated: May 13, 2025

End of life: November 13, 2025

When updating a SMTP email provider’s host, port, or username using a PATCH request to the /api/v2/emails/provider endpoint, you may need to specify a password for the credentials.smtp_pass field.

A SMTP email provider’s credentials object supports the following fields:

• credentials.smtp_pass: SMTP email provider’s password

• credentials.smtp_host: SMTP email provider’s host 

• credentials.smtp_port: SMTP email provider’s port 

• credentials.smtp_user: SMTP email provider’s username

Auth0 requires an explicit value for the credentials.smtp_pass field in the following cases:

• When you’re updating a SMTP email provider’s credentials.smtp_host, credentials.smtp_port, or credentials.smtp_user fields with a value that is different from the existing value or updating just a subset of those three fields.

Auth0 does not require an explicit value for the credentials.smtp_pass field in the following cases:

• When you’re updating a SMTP email provider and the request body includes the same values as the existing values for the credentials.smtp_host, credentials.smtp_port, and credentials.smtp_user fields. 

Deprecated: February 11, 2025

End of life: August 19th, 2025

The Management API Update a user endpoint (PATCH /api/v2/users/{id}) will no longer invalidate user sessions for database connection users when:

• The email or email_verified attributes are set to an unchanged value.

• The email_verified attribute is set to a true value.

Deprecated: October 24, 2024

End of life: April 24, 2025

Requests to the following Management API endpoints will require the read:connections_options scope to view the options field:

• Connections > Get all connections

• Connections > Get a connection

Requests to the following Management API endpoints will require the update:connections_options to modify the options field:

• Connections > Update a connection

Deprecated: July 30, 2024

End of life: January 31, 2025

Management API endpoints for connections (GET, POST, and PATCH) will no longer allow retrieving or setting values for the following protected properties in the context of the options object for non-custom social connections:

• authorizationURL

• tokenURL

• userInfoUrl

• baseUrl

• userAuthorizationURL

• grant_type

Non-custom social connections refer to any social connection whose implementation logic is controlled entirely within the Auth0 service itself. This category excludes any connections explicitly created as custom social connectors or those available as Marketplace integrations that rely on custom social connection functionality.  

Deprecated: September 4, 2024

End of life: October 4, 2024

Starting October 4, 2024, Auth0 will no longer automatically redirect API requests using unencrypted HTTP to secure HTTPS and will respond with an error. To avoid any disruption in service, update any HTTP URLs you use or publish to use HTTPS instead.

Deprecated: March 7, 2024

End of life: September 10, 2024

Auth0 is updating the Management API scopes for the User-Roles endpoint (POST /api/v2/users/{id}/roles) to represent their intended permissions. Currently, roles can be assigned to users with read:roles scope via the Management API. This capability is being deprecated, and role updates will require the create:role_members scope.

Deprecated: April 25, 2024

End of life: October 10, 2024

New applications created in Auth0 will have cross-origin authentication disabled by default. Calls to some Management API endpoints (Get Clients, Get Client by ID) will need to be modified to use cross_origin_authentication.

Deprecated: May 16, 2023

Read-only transition: November 18, 2024

End-of-life: TBA

On November 18, 2024, active Rules and Hooks will continue to execute, but will degrade to read-only mode. Auth0 has delayed the removal of Rules and Hooks functionality to a future date.

Read-only Rules and Hooks can be turned on and off and their respective configuration values or secrets can be modified, but their source code cannot be edited via the Dashboard or Management API, including CI/CD tooling like Terraform and Auth0 Deploy CLI.

If you will be unable to migrate to Actions ahead of the read-only transition, ensure that any automated CI/CD flow you have configured to deploy tenant configuration changes does not attempt to perform unsupported management operations on Rules and Hooks.

For more information, read Migrate from Rules to Actions and Migrate from Hooks to Actions.

Deprecated: August 23, 2024

End of Life: July 31st, 2025

On February 23rd, 2025, Auth0 will remove the ability to use the legacy, non-compliant UI for Universal Login. The new WCAG compliant version ensures that end users, including those who rely on assistive technology, can access and engage with a customer’s product or service. Read our Universal Login Accessibility documentation for more information.

• Migration Process
• Past Migrations
• Deprecation Errors
• Check for Deprecation Errors