Deprecations and Migrations
We are actively migrating customers to new behaviors for all deprecations listed below. Please review these carefully to ensure you've taken any necessary steps to avoid service disruption. You can also search tenant logs for any errors caused by using deprecated features. For details, see Search Logs for Deprecation Errors.
Legacy TLS Deprecation
Deprecated: January 19, 2021
End of life: TBD
Public Cloud: March 22, 2021
Private Cloud: TBD
Beginning March 22, 2021, the Auth0 network edge will no longer accept TLS 1.0 or TLS 1.1 traffic. These legacy protocols are insecure, with well-known weaknesses and vulnerabilities within the industry. For maximum security, all Auth0 clients must upgrade to TLS 1.2 or later. The exact details and steps required will vary, depending on your application. For further details, see Upgrade to TLS 1.2, what action to take? posted in the Auth0 Community.
Unpaginated Management API v2 Request deprecation
Deprecated: 21 July 2020 (Public Cloud)
End of life: 26 January 2021 (Public Cloud)
After 26 January 2021, requests to the following Management API v2 endpoints will return a maximum of 50 items for Public Cloud tenants. To retrieve more items, you must include
per_page parameters. Beginning on 21 July 2020, Auth0 will display tenant logs and a migration toggle to help you prepare for this change.
typequery parameter is used)
All Public Cloud tenants are affected that are created before 21 July 2020 and are actively calling affected endpoints without passing the
per_page parameter for queries that can return more than 1 result. Tenants are not affected if they are created after 21 July 2020, are not using the affected endpoints, are using the affected endpoints and passing the
per_page parameter, or are making queries that always return only 1 result. For details, see Migrate to Management API v2 Endpoint Paginated Queries.
Node.js v8 Extensibility Runtime deprecation
Deprecated: 15 April 2020
End of life: TBA
The Webtask engine powering Auth0 extensibility points currently uses Node 8. Beginning 13 December 2019, Node.js v8 was no longer under long-term support (LTS). This means that critical security fixes were no longer back-ported to this version. As such, Auth0 is migrating the Webtask runtime from Node.js v8 to Node.js v12. On 15 April 2020, we made the Node 12 runtime available for extensibility to all public cloud customers. You have been provided a migration switch that allows you to control your environment's migration to the new runtime environment. For details about required migration steps, see Extensibility and Node 12 Migration.
Effective: February 2020
Google Chrome v80 is changing the way it handles cookies. To that end, Auth0 will implement the following changes in the way it handles cookies:
Cookies without the
samesiteattribute set will be set to
sameSite=nonemust be secured, otherwise they cannot be saved in the browser's cookie jar
The goal of these changes is to improve security and help mitigate CSRF attacks. For details, see sameSite Cookie Attribute Changes.
Management API v1 deprecation
Deprecation: October 2016
End of life:
Public Cloud: 13 July 2020
Private Cloud: November 2020 monthly release
Management API v1 will reach its End of Life in the Public Cloud on 13 July 2020. Management API v1 will be included in the Private Cloud until the November 2020 monthly release, which is the first release that will not include Management API v1. You may be required to take action before that date to ensure no interruption to your service. Notifications have been and will continue to be sent to customers that need to complete this migration. For details, see Management API v1 to v2 Migration.
Clickjacking Protection for Universal Login changes
To prevent clickjacking, in cases where you render your login page in an iframe, Auth0 has added an opt-in to add headers which we strongly recommend you enable. For details, see Clickjacking Protection for Universal Login Change.
Resource Owner Password /oauth/ro deprecation
Deprecation: 08 July 2017
End of life: TBD
As of 08 July 2017 Auth0 has deprecated the
/oauth/ro endpoint for both password and passwordless connections. You can now implement the same functionality using the
/oauth/token endpoint. For details, see Resource Owner Password Flow Migration.
Management API endpoints using ID token credentials deprecation
Deprecation: 31 March 2018
End of life: TBD
Auth0 is deprecating the use of ID tokens as credentials to call some of the users and device endpoints and replacing it with the use of access tokens instead. For details, see Migrate to Management API Endpoints with Access Tokens and Migrate to Link User Accounts with Access Tokens.
Deprecation: January 2018
Auth0 has deprecated the use of the auth0-analytics.js library that adds Facebook and Google Analytics integration with Lock. It listens for events in Lock and passes them to the Auth0-tag-manager.js library. It may still function in some legacy cases. This library is no longer maintained. You may need to write custom code to use auth0-tag-manage.js to manage proxy requests to third-party analytics libraries such as Facebook, Twitter, and Google.
Passwordless Endpoint from Confidential Applications deprecation
Auth0 has deprecated the use of the
/passwordless/start endpoint from confidential applications when Auth0 cannot authenticate that the call is made on behalf of the application. For details, see Migrate to Passwordless Endpoint from Confidential Applications.