Deprecations and Migrations

Deprecations and Migrations

We are actively migrating customers to new behaviors for all deprecations listed below. Please review these carefully to ensure you've taken any necessary steps to avoid service disruption. You can also search tenant logs for any errors caused by using deprecated features. To learn more, read Search Logs for Deprecation Errors.

If you have any questions, visit the Migrations section of the Auth0 Community site or create a ticket in our Support Center. To learn more, you can also read Migration Process.

Tenant Hostname Validation

Deprecated: 9 December 2021

End of life: 9 June 2022

As of June 9, 2022, Auth0 will increase the security of API calls by adding a validation step for tenant hostnames to the Authentication API’s identification process. When a call is made, the Authentication API will validate the entity identifier (eg: client_id) of the requesting tenant as well as the tenant name in the URL domain. The tenant owning the identifier must be from the same tenant in the URL domain or the request will be rejected.

If your application or API calls any of the listed endpoints, you must configure your API calls to make sure the identifier of the requesting tenant and hostname are the same: 

  • /oauth/token

  • /co/authenticate

  • /userinfo

  • /login

  • /oauth/revoke

  • /mfa/challenge

  • /p/<connection-type>/<ticket> (Enterprise connection provisioning endpoint)

To learn more, read Tenant Hostname Validation Migration.

Opaque Access Token and Authorization Code Fixed Length

Deprecated: 7 October 2021 (Public Cloud), December 2021 (Private Cloud release)

End of life: 12 April 2022 (Public Cloud), June 2022 (Private Cloud release)

Beginning April 12, 2022 and with the December 2021 Private Cloud release, access token and authorization codes will be issued with varied lengths to support OAuth specification RFC6749 to avoid clients making assumptions about authorization code and access token values. Currently, the access token and authorization code sizes are fixed. The current size of the authorization code is shorter than what some security practitioners recommend. Through this change, Auth0 provides a stronger code and token while also improving the performance of Auth0 systems.

Customers with systems configured to rely on specific-sized authorization code and access token length must change from fixed-sized to variable-sized configurations before April 12, 2022 or the June 2022 Private Cloud release.

Node.js v8 Extensibility Runtime End of Life

Deprecated: 15 April 2020

End of life: 25 February 2022 (Public Cloud), April 2022 (Private Cloud release)

Beginning 13 December 2019, Node.js v8 was no longer under long-term support (LTS). This means that critical security fixes were no longer back-ported to this version. Customers who are still on Node 8 are out of security compliance and must migrate to Node 12 to eliminate security risks. To learn more about how to migrate your tenant-level Node version from 8 to 12, read Migrate from Node.js 8 to Node.js 12.

Because Node.js v12 is also going out of LTS in 2022, we also highly encourage all customers using Rules and Hooks to migrate to Actions using Node 16 as soon as possible, and before Node 12 support expires formally from the Node.js community on 30 April 2022. To learn more about required migration steps, read Migrate Rules and Hooks to Actions.

Legacy Network Edge Deprecation

Deprecated: 05 May 2021 (Public Cloud)

End of life: 03 November 2021 (Public Cloud)

Auth0 legacy network edge will cease to function on Public Cloud. After 03 November 2021, Public Cloud tenants who have not completed a migration to the new Auth0 network edge will no longer receive traffic. All new custom domains are automatically created on the new network edge.

Unpaginated Management API v2 Request deprecation

Deprecated: 21 July 2020 (Public Cloud)

End of life: 26 January 2021 (Public Cloud), February 2022 (Private Cloud release)

After 26 January 2021, requests to the following Management API v2 endpoints will return a maximum of 50 items for Public Cloud tenants. To retrieve more items, you must include page and per_page parameters. Beginning on 21 July 2020, Auth0 will display tenant logs and a migration toggle to help you prepare for this change.

All Public Cloud tenants are affected that are created before 21 July 2020 and are actively calling affected endpoints without passing the per_page parameter for queries that can return more than 1 result. Tenants are not affected if they are created after 21 July 2020, are not using the affected endpoints, are using the affected endpoints and passing the per_page parameter, or are making queries that always return only 1 result. To learn more, read Migrate to Management API v2 Endpoint Paginated Queries.

Learn more