Deprecations and Migrations

We are actively migrating customers to new behaviors for all deprecations listed below. Please review these carefully to ensure you've taken any necessary steps to avoid service disruption. You can also search tenant logs for any errors caused by using deprecated features. For details, see Search Logs for Deprecation Errors.

If you have any questions, visit the Migrations section of the Auth0 Community site or create a ticket in our Support Center. For details, you can also see Migration Process.

Deprecated: January 19, 2021

End of life: TBD

Public Cloud: March 22, 2021
Private Cloud: TBD

Beginning March 22, 2021, the Auth0 network edge will no longer accept TLS 1.0 or TLS 1.1 traffic. These legacy protocols are insecure, with well-known weaknesses and vulnerabilities within the industry. For maximum security, all Auth0 clients must upgrade to TLS 1.2 or later. The exact details and steps required will vary, depending on your application. For further details, see Upgrade to TLS 1.2, what action to take? posted in the Auth0 Community.

Deprecated: 21 July 2020 (Public Cloud)

End of life: 26 January 2021 (Public Cloud)

After 26 January 2021, requests to the following Management API v2 endpoints will return a maximum of 50 items for Public Cloud tenants. To retrieve more items, you must include page and per_page parameters. Beginning on 21 July 2020, Auth0 will display tenant logs and a migration toggle to help you prepare for this change.

GET /api/v2/clients
GET /api/v2/client-grants
GET /api/v2/grants
GET /api/v2/connects
GET /api/v2/device-crecentials (when the type query parameter is used)
GET /api/v2/resource-servers
GET /api/v2/rules

All Public Cloud tenants are affected that are created before 21 July 2020 and are actively calling affected endpoints without passing the per_page parameter for queries that can return more than 1 result. Tenants are not affected if they are created after 21 July 2020, are not using the affected endpoints, are using the affected endpoints and passing the per_page parameter, or are making queries that always return only 1 result. For details, see Migrate to Management API v2 Endpoint Paginated Queries.

Deprecated: 15 April 2020

End of life: TBA

The Webtask engine powering Auth0 extensibility points currently uses Node 8. Beginning 13 December 2019, Node.js v8 was no longer under long-term support (LTS). This means that critical security fixes were no longer back-ported to this version. As such, Auth0 is migrating the Webtask runtime from Node.js v8 to Node.js v12. On 15 April 2020, we made the Node 12 runtime available for extensibility to all public cloud customers. You have been provided a migration switch that allows you to control your environment's migration to the new runtime environment. For details about required migration steps, see Extensibility and Node 12 Migration.

Effective: February 2020

Google Chrome v80 is changing the way it handles cookies. To that end, Auth0 will implement the following changes in the way it handles cookies:

Cookies without the samesite attribute set will be set to lax
Cookies with sameSite=none must be secured, otherwise they cannot be saved in the browser's cookie jar

The goal of these changes is to improve security and help mitigate CSRF attacks. For details, see sameSite Cookie Attribute Changes.

Deprecation: October 2016

End of life:

Public Cloud: 13 July 2020
Private Cloud: November 2020 monthly release

Management API v1 will reach its End of Life in the Public Cloud on 13 July 2020. Management API v1 will be included in the Private Cloud until the November 2020 monthly release, which is the first release that will not include Management API v1. You may be required to take action before that date to ensure no interruption to your service. Notifications have been and will continue to be sent to customers that need to complete this migration. For details, see Management API v1 to v2 Migration.

To prevent clickjacking, in cases where you render your login page in an iframe, Auth0 has added an opt-in to add headers which we strongly recommend you enable. For details, see Clickjacking Protection for Universal Login Change.

Deprecation: 08 July 2017

End of life: TBD

As of 08 July 2017 Auth0 has deprecated the /oauth/ro endpoint for both password and passwordless connections. You can now implement the same functionality using the /oauth/token endpoint. For details, see Resource Owner Password Flow Migration.

Deprecation: 31 March 2018

End of life: TBD

Auth0 is deprecating the use of ID tokens as credentials to call some of the users and device endpoints and replacing it with the use of access tokens instead. For details, see Migrate to Management API Endpoints with Access Tokens and Migrate to Link User Accounts with Access Tokens.

Deprecation: January 2018

Auth0 has deprecated the use of the auth0-analytics.js library that adds Facebook and Google Analytics integration with Lock. It listens for events in Lock and passes them to the Auth0-tag-manager.js library. It may still function in some legacy cases. This library is no longer maintained. You may need to write custom code to use auth0-tag-manage.js to manage proxy requests to third-party analytics libraries such as Facebook, Twitter, and Google.

Auth0 has deprecated the use of the /passwordless/start endpoint from confidential applications when Auth0 cannot authenticate that the call is made on behalf of the application. For details, see Migrate to Passwordless Endpoint from Confidential Applications.

Docs