Auth0 Security & Privacy

We've built state-of-the-art security into our product, to protect your business and your users.

Trust, Front and Center

Encryption, Password Hashing

Auth0 helps you prevent critical identity data from falling into the wrong hands. We never store passwords as clear text - they are always hashed (and salted) securely using bcrypt. Both data at rest and in motion is encrypted - all network communication uses TLS with at least 128-bit AES encryption. The connection uses TLS v1.2, and it is encrypted and authenticated using AES_128_GCM and uses ECDHE_RSA as the key exchange mechanism. Qualsys' SSL Labsscored Auth0's SSL implementation as "A+" on their SSL Server test.

Password Complexity

With Auth0 you can enforce five levels of password complexity, as well as custom rules implementing OWASP recommendations, NIST guidelines and more.

Attack Prevention, Mitigation

Auth0 services are architected with high-availability and resilience in mind. Auth0 applications have built-in rate limiting and automated blocking features to mitigate advanced denial of service or authentication attacks. Our network infrastructure is protected against volumetric attacks by our cloud providers, in addition to a dedicated DDoS mitigation service.

Secure Infrastructure

Auth0 takes advantage of the industry's most sophisticated, battle-tested infrastructure. We run on hardened Linux hosts with automatic security patching, carefully-configured security groups, segmented VPCs, and role-based access controls, combined with many other advanced protections built into the cloud infrastructure.

Account Verification

Auth0 safeguards your users with default email verification at account creation time and during password resets.

Standards-based Identity

From the start, Auth0 has been built on tested, verified identity standards, including LDAP, SAML, OAuth, OpenID, OpenID Connect, and JSON Web Tokens (JWTs) - all of the common and most popular identity standards. Auth0 participates in standards organizations like the OpenID Foundation. We make it easy to leverage these powerful standards to shield your own applications and APIs.


As a company, Auth0 complies with the General Data Protection Regulation (GDPR).
We take customer data privacy seriously, ensuring that:

  • Personal data is properly collected, stored, and documented.
  • Any usage of personal data is communicated with the proper consent.
  • All new vendors, assets and activities pertaining to processing personal data are subject to a review of privacy, security and compliance.
  • Relevant processes are followed for transfers of personal data outside the
    European Union.
  • For more information, see our privacy policies here.
We also help our customers provide GDPR compliant solutions to their end-users and customers.

Compliance and Certifications

ISO27001 certified
Auth0 is ISO27001 certified by a third party, managing information security risk in such a way as to comply with a robust design, implementation and continuous monitoring framework.
SOC 2 Logo
Auth0 is SOC 2 Type II certified - an independent auditor has evaluated our product, infrastructure, and policies, and certifies that Auth0 complies with their stringent requirements.
EU-US Privacy Shield Framework
Auth0 conforms with the brand-new EU-US Privacy Shield Framework for regulating privacy in data flows between the European Union and the United States. This Framework replaces the EU-US Safe Harbor Framework repudiated in 2015.
ISO27018 certified
Auth0 is ISO27018 certified by a third party, complying with security and privacy guidelines for managing PII as a cloud service provider.
Auth0 offers HIPAA BAA agreements to companies in the healthcare industry that must comply with HIPAA regulations for safeguarding patient privacy and sensitive health information.
We are OpenID Certified
Auth0 conforms to the OpenID Connect protocol, and our products are certified by the OpenID Foundation, of which we are active members. We strive to use open standards and specifications to deliver excellent interoperability for our customers.

Practice What We Preach

It isn't enough to integrate security features into the product itself. Auth0 runs its business using the most up-to-date and effective security procedures, including:

  • Thoroughly documented policies and procedures - complying with SOC2 certification requirements.
  • Regular, in-depth security training for all employees.
  • Background checks and confidentiality agreements for all employees who access Auth0 systems or who might come into contact with customer data.
  • SSO to all systems using a single Auth0 verified identity, with mandatory MFA for this identity. Auth0 does everything it can to avoid systems that authenticate using only passwords without MFA.
  • Mandatory full-disk encryption for all employee laptops and development systems.
  • Formal change control and configuration management following the most stringent and up-to-date secure operational practices - version controlled, traceable, and audited.
  • Independent penetration testing and code audits several times per year, bringing real-world expertise and insight to bear in validating the security of Auth0's implementations and procedures.
  • A well-regardedwhite hat security reporting program with rewards and recognition for reported vulnerabilities. Contact Auth0's security team directly

    Download our PGP key

  • Comprehensive logging, auditing, and intrusion detection for both product and infrastructure events, machine learning analytics for anomaly detection, and automated tools running around the clock and around the world - all backed by the sharp eyes of our security and DevOps teams.
  • Watching private security mailing lists and alerting systems for threat intelligence - quickly responding to and mitigating potential security issues for our infrastructure and customers, and actively participating in the security research community.
  • An incident response plan to handle those worst-case scenarios - intrusions and security breaches, DDoS attacks, or any other issue. Auth0 can call upon advanced forensics specialists to help put a lid on the damage and safeguard our customers, should something slip through Auth0's defenses.

A Team of Specialists

Why are we so dedicated to leaving no stone unturned in protecting our customers? It's in our DNA. Auth0 was founded and built by some of the foremost security and identity experts in the world -Matias Woloski, Eugenio Pace, and Jared Hanson.Matias and Eugenio have implemented federated identity projects for Fortune 500 companies, and arepublished authors. Jared is the author of the most popular authentication framework for Node.js:passport.js.

Auth0's CISO,Joan Delilah Pepin, brings 20 years of experience to her role as CISO for Auth0. Her career has spanned a wide variety of industries such as healthcare, manufacturing, defense, ISPs, MSSPs and SaaS/PaaS. Her experience includes technical, operational, and management aspects of security, allowing her to bring highly technical security research expertise to her current interests in security policy management, strategy and thought leadership. She is an expert and thought leader in Cloud Security and Compliance in large-scale and DevOps/CI environments.

Auth0's specialists team