Deprecations and Migrations
We are actively migrating customers to new behaviors for all Deprecations listed below. Please review these carefully to ensure you've taken any necessary steps to avoid service disruption. You can also search tenant logs for any errors caused by using deprecated features. For details, see Search Logs for Deprecation Errors.
Unpaginated Management API v2 Request deprecation
Deprecated: 21 July 2020 (Public Cloud)
End of life: 26 January 2021 (Public Cloud)
After 26 January 2021, requests to the following Management API v2 endpoints will return a maximum of 50 items for Public Cloud tenants. To retrieve more items, you must include
per_page parameters. Beginning on 21 July 2020, Auth0 will display tenant logs and a migration toggle to help you prepare for this change.
typequery parameter is used)
All Public Cloud tenants are affected that are created before 21 July 2020 and are actively calling affected endpoints without passing the
per_page parameter for queries that can return more than 1 result. Tenants are not affected if they are created after 21 July 2020, are not using the affected endpoints, are using the affected endpoints and passing the
per_page parameter, or are making queries that always return only 1 result. For details, see Migrate to Management API v2 Endpoint Paginated Queries.
Node.js v8 Extensibility Runtime deprecation
Deprecated: 15 April 2020
End of life: TBA
The Webtask engine powering Auth0 extensibility points currently uses Node 8. Beginning 13 December 2019, Node.js v8 was no longer under long-term support (LTS). This means that critical security fixes were no longer back-ported to this version. As such, Auth0 is migrating the Webtask runtime from Node.js v8 to Node.js v12. On 15 April 2020, we made the Node 12 runtime available for extensibility to all public cloud customers. You have been provided a migration switch that allows you to control your environment's migration to the new runtime environment. For details about required migration steps, see Extensibility and Node 12 Migration.
Effective: February 2020
Google Chrome v80 is changing the way it handles cookies. To that end, Auth0 will implement the following changes in the way it handles cookies:
Cookies without the
samesiteattribute set will be set to
sameSite=nonemust be secured, otherwise they cannot be saved in the browser's cookie jar
The goal of these changes is to improve security and help mitigate CSRF attacks. For details, see sameSite Cookie Attribute Changes.
Management API v1 deprecation
Deprecation: October 2016
End of life:
Public Cloud: 13 July 2020
Private Cloud: November 2020 monthly release
Management API v1 will reach its End of Life in the Public Cloud on 13 July 2020. Management API v1 will be included in the Private Cloud until the November 2020 monthly release, which is the first release that will not include Management API v1. You may be required to take action before that date to ensure no interruption to your service. Notifications have been and will continue to be sent to customers that need to complete this migration. For details, see Management API v1 to v2 Migration.
Clickjacking Protection for Universal Login changes
To prevent clickjacking, in cases where you render your login page in an iframe, Auth0 has added an opt-in to add headers which we strongly recommend you to enable. For details, see Clickjacking Protection for Universal Login Change.
Resource Owner Password /oauth/ro deprecation
Deprecation: 08 July 2017
End of life: TBD
As of 08 July 2017 Auth0 has deprecated the /oauth/ro endpoint for both password and passwordless connections. You can now implement the same functionality using the /oauth/token endpoint. For details, see Resource Owner Password Flow Migration.
Management API endpoints using ID token credentials deprecation
Deprecation: 31 March 2018
End of life: TBD
Auth0 is deprecating the use of ID tokens as credentials to call some of the users and device endpoints and replacing it with the use of access tokens instead. For details, see Migrate to Management API Endpoints with Access Tokens and Migrate to Link User Accounts with Access Tokens.
Passwordless Endpoint from Confidential Applications deprecation
Auth0 has deprecated the use of the /passwordless/start endpoint from confidential applications when Auth0 cannot authenticate that the call is made on behalf of the application. For details, see Migrate to Passwordless Endpoint from Confidential Applications.