Auth0

Non-Unique Emails reached GA, letting multiple accounts share one email address within a database connection for families, shared roles, and multi-account setups.¹

MCP authentication shipped end-to-end with GA status, bundling Client ID Metadata (CIMD) registration, On-Behalf-Of token exchange, and Resource Parameter compatibility — MCP servers can gate access without shared secrets or over-privileged service accounts.²

FGA Permissions Index entered developer preview, pre-computing authorization paths so enterprise search and RAG pipelines can check permissions with a direct lookup instead of traversing the relationship graph at query time.³ Available now to FGA enterprise customers.

Account API token issuance got step-up authentication via the ACR early access release: Actions-driven policies or a secure-by-default toggle gate sensitive scopes, covering both Universal Login and Embedded flows.⁴

Session-bound refresh tokens landed in beta for SPAs — the online_access scope binds refresh tokens to the originating session, so revoking a session also invalidates its tokens.⁵ Compatible with OIDC flows that generate a valid session.

Enterprise connection security expanded: Private Key JWT assertions and additional ID token signing algorithms (RS384, RS512, PS256, PS384, ES256, ES384) reached GA for Okta and OIDC connections.⁶

Across the window, several features crossed GA: Enhanced Security Controls for third-party apps (strict mode, mandatory PKCE, open redirect protection), Resend as a built-in email provider, and Suspicious IP Throttling configuration for Custom Token Exchange.⁷⁸⁹ The dashboard gained a CMD+K command palette, and an empty login_hint forwarding bug was patched for external IdPs that reject empty parameters.¹⁰¹¹