Prompt for Organization Name Without SSO
Deprecated: October 31, 2025 End of life: May 1, 2026 Login flows initiated in the context of client applications associated with business users (organization_usage=require) and configured to prompt for the organization at the start of the login flow (organization_require_behavior=pre_login_prompt) will consider an existing authenticated session.
Previously, the service prompted the user for the organization name and the user would subsequently be required to complete a login. For example, a user with a password-based account needed to re-enter their credentials even if an authenticated session was valid for the selected organization.
Unconfirmed Login with Non-Verifiable Callback URI Redirects
Deprecated: October 28th, 2025 End of life: April 28th, 2026 Auth0 recommends the transition to HTTPS-based callbacks using Android App Links and Apple Universal Links whenever possible for all native applications using the Authorization Code Flow to enhance security and mitigate risks of application impersonation and phishing attacks. Additionally, Auth0 is implementing a new login confirmation prompt for authentication requests that utilize custom URI schemes or loopback URIs as the callback. This prompt will appear in situations where a response was previously returned without requiring user interaction.. Review Migrate to Non-Verifiable Callback URI End-User Confirmation to learn more details.Audience Validation for Private Key JWT Authentication
Deprecated: October 6, 2025 End of life: April 8, 2025 When validating JWT assertions used for client application authentication, Auth0 will impose stricter requirements and accept only a tenant’s issuer identifier as a single JSON string value in theaud (audience) claim.
The possibility of providing an aud claim with either one of the approaches listed below is deprecated, and the service will stop supporting them after the end-of-life date:
- A JSON array of strings, provided that one of the entries contains a valid issuer identifier or endpoint URL for the respective tenant and endpoint the client authenticates against.
- A single JSON string representing a valid endpoint URL for the respective tenant and endpoint the client authenticates against.
Extended Attributes in Azure Active Directory (v1) Identity API Connections
Deprecated: June 18, 2025 End of life: September 1, 2025 Due to the Azure AD Graph deprecation and scheduled retirement, Auth0 will no longer support enabling extended attributes-related options in Microsoft Azure AD (strategy=waad) connections configured to use the Azure Active Directory (v1) Identity API.
If you received a notification via email, one or more of your tenants one or more tenants associated with your Auth0 tenant admin user account haa a Microsoft Azure AD connection targeting the Azure Active Directory (v1) identity API and configured to obtain extended attributes and could potentially be impacted.
You must review applicable tenants. For connections dependent on the deprecated functionality, you must either:
- Update connections to target Microsoft Identity Platform (v2) so that Microsoft Graph endpoints are used instead of the deprecated Azure AD Graph when retrieving extended attributes information.
- Turn off all the extended attributes options.
Real-Time Webtask Logs Extension
Deprecated: June 18, 2025 End of life: September 16, 2025 The Real-time Webtask Logs extension is deprecated and has a planned end-of-life (EOL) after September 16, 2025. As a replacement, the Actions Real-time Logs feature is directly available within the Auth0 Dashboard. The extension will cease to be available for new installations, but tenants with the extension already installed will maintain access until the planned EOL.Remove Access to Specific Event Request Properties in Actions
Deprecated: June 18, 2025 End of life: September 16, 2025 Auth0 will restrict access to additional property names within theevent.request.query and event.request.body objects when executing Actions for the post-login and credentials-exchange triggers. Only tenants identified as using Actions to reference request properties planned for restriction will maintain access until September 16, 2025.
The service will restrict the following property names in the request-related objects:
auth_sessionauthn_responseclient_secretclient_assertionrefresh_token
Multiple Actions for Custom Phone and Email Provider Triggers
Deprecated: June 16, 2025 End of life: December 16, 2025 Auth0 is introducing a maximum limit of one Action for Actions associated with the following triggers:custom-phone-providercustom-email-provider
POST - /api/v2/actions/actions). Once the newly introduced limit becomes effective for a given tenant, attempts to create multiple actions for these triggers will fail.
Uncustomizable Brute-force Protection Unblock Email Flow
Deprecated: June 9, 2025 End of life: December 9, 2025 An updated version of the email-based unblock flow for Brute-force Protection supports customization and localization through Universal Login and improves the experience for situations where email security scanners process the unblock email is available.Field fromSandbox in Authentication API Error Responses
Deprecated: June 11, 2025
End of life: December 11, 2025
Authentication API error responses will no longer return the fromSandbox field for flows requiring custom database script invocation. For example, an API error response in the context of an end-user signup flow for a custom database connection will no longer return this field.
Allow Omitting Password on SMTP Email Provider Host-Related Changes
Deprecated: May 13, 2025 End of life: November 13, 2025 When updating a SMTP email provider’s host, port, or username using aPATCH request to the /api/v2/emails/provider endpoint, you may need to specify a password for the credentials.smtp_pass field.
A SMTP email provider’s credentials object supports the following fields:
credentials.smtp_pass: SMTP email provider’s passwordcredentials.smtp_host: SMTP email provider’s hostcredentials.smtp_port: SMTP email provider’s portcredentials.smtp_user: SMTP email provider’s username
credentials.smtp_pass field in the following cases:
- When you’re updating a SMTP email provider’s
credentials.smtp_host,credentials.smtp_port, orcredentials.smtp_userfields with a value that is different from the existing value or updating just a subset of those three fields.
credentials.smtp_pass field in the following cases:
- When you’re updating a SMTP email provider and the request body includes the same values as the existing values for the
credentials.smtp_host,credentials.smtp_port, andcredentials.smtp_userfields.
Unrestricted Offset Pagination in Connections Management API
Deprecated: April 29, 2025 End of life: October 27, 2025 The offset-based pagination available for the Management API get all connections endpoint will no longer support retrieving a paginated result beyond the first 1000 connections. For example, the service will return an error response ifpage=30&per_page=50 or page=15&per_page=100 is used. In both situations, multiplying the number of records requested per page by the requested page index plus one (to account for the page index being zero-based) results in the request surpassing the initial 1000 connections.
Per the above, with a page size of 50, the last page index that you can request without errors is 19 (page=19&per_page=50), and with the maximum page size of 100, you can request up to page index number 9 (page=9&per_page=100).
Conditions that surpass the limit trigger the error even if the tenant associated with the request has fewer than 1000 connections.
Unwarranted Session Removal After Management API User Updates
Deprecated: February 11, 2025 End of life: August 19, 2025 The Update a user endpoint (PATCH /api/v2/users/{id}) will no longer invalidate user sessions for database connection users when:
- The
emailoremail_verifiedattributes are set to an unchanged value. - The
email_verifiedattribute is set to atruevalue.
Node.js 12 and 16 Extensibility Runtimes
Deprecated: February 10, 2025 End of life: August 15, 2025 Node.js 12 and 16 extensibility runtimes will gradually become unavailable across Auth0 tenants. Once removed, all extensibility integrations, such as Actions, Rules, Hooks, Custom Database Connections, and Custom Social Connections, will be forced to run on Node 22. For technical resources relevant to migrating to Node 22, read Migrate from Node 12 and 16 to Node 18 and Migrate from Node 18 to Node 22.Mandatory Use of SNI for HTTPS requests
Deprecated: October 29, 2024 End of life: April 29, 2025 The Auth0 service will mandate using Server Name Indication (SNI) for all HTTPS requests. SNI is an extension to the TLS protocol that allows the client to indicate the hostname to which it intends to connect at the start of the handshake process. Since their creation, the vast majority of our private cloud environments and some of our public cloud environments have enforced the SNI requirement. For example, the CA-1, JP-1, and UK-1 public cloud environments always required SNI. With this change, the SNI requirement will apply to the remaining environments. For more detailed information on environment-specific timelines, read the End-of-Life Rollout for Mandatory Use of SNI for HTTPS Requests article.New Management API Scopes Required for Connection Options
Deprecated: October 24, 2024 End of life: July 8, 2025 Requests to the following Management API endpoints will require theread:connections_options scope to view the options field:
Requests to the following Management API endpoints will require the update:connections_options to modify the options field: