releases.shpreview

Auth0 Changelog

Mon
Wed
Fri
JulAugSepOctNovDecJanFebMarAprMayJunJul
Less
More
Releases71Avg22/mo

Third-party applications now work with Auth0 Organizations. Tenant admins can allow or block third-party app access on a per-organization basis, with access blocked by default so existing organizations remain unaffected until explicitly opted in. User consent is scoped per organization, so granting access in one organization does not carry over to another.

Read more →

Auth0 now supports the session_expiry claim for Okta and OIDC-based Enterprise connections, enforcing the minimum of the IdP claim, tenant absolute session expiration, and any expiry set via Actions. When a federated user's access expires at their identity provider, their Auth0 session terminates accordingly.

Read more →

New Outbound SCIM Action template for Event Streams pushes user.created, user.updated, and user.deleted events to any SCIM 2.0-compliant downstream application. Includes a ready-to-copy Action template with built-in fault tolerance and template-driven attribute mapping.

Read more →

New API endpoints allow granular search and bulk revocation of refresh tokens. The GET endpoint retrieves refresh tokens by user ID or user ID and client ID. The POST endpoint supports revocation by IDs (up to 100), user ID, user ID + client ID, or user ID + client ID + audience. Contact your TAM or open a support ticket to enable this feature.

Read more →

The machine learning model driving Bot Detection during signup has been updated to lower false-negative rates and intercept more automated traffic while keeping false-positive rates low for valid users. The model now delivers uniform detection accuracy across tenants of all sizes and rolls out automatically to Enterprise tenants with Attack Protection enabled.

Read more →

Inbound SCIM for Enterprise Connections now supports mapping synced groups to Auth0 roles at tenant level or scoped to organizations, and enterprise customers can self-configure SCIM provisioning for groups directly. Users in synced groups automatically inherit assigned roles globally or workspace-scoped permissions at login when combined with Auto-Membership.

Read more →

The redesigned dashboard navigation and information architecture is now available in beta, featuring flattened navigation with label-only group headers, pages reorganized around common tasks, and external actions moved to the top bar. Related functionality is grouped together with clearer naming. Existing bookmarks and deep links continue to work with automatic redirects, and all underlying functionality and APIs remain unchanged.

Read more →

Strict third-party applications now support machine-to-machine access using the client_credentials grant type, including organization-scoped M2M access with explicit grant requirements. M2M access is restricted to applications created manually via the Management API or Dashboard; applications registered via Dynamic Client Registration are excluded.

Read more →

Dashboard Search for Applications is now available in public beta, allowing users to search and filter applications in real time by name, client ID, external client ID, metadata, application type, and first-party status. Filters can be combined (up to 5), persist in URLs for sharing, and follow Boolean search logic.

Read more →

Custom Token Exchange now supports Delegated Authorization, allowing a principal (support agent, backend service, or AI agent) to perform actions in a user's context while preserving both identities via the standards-based act claim per RFC 8693. Features include actor token parameters, setActor() Action command for explicit delegation control, automatic validation of Auth0 ID tokens as actor tokens, audit trail capture, and support for up to 5 levels of delegation chains.

Read more →

Tenant Access Control Lists now support matching access rules directly against canonical hostnames, allowing you to lock down backend default domains while keeping custom domains accessible. New connecting IP verification lets you define allowed IPv4 and IPv6 CIDR blocks for infrastructure connecting to the Auth0 edge, and the Tenant ACL attribute limit has increased from 10 to 20 per signal.

Read more →
Last Checked
10m ago
Latest
Jul 14, 2026
Tracking since Sep 25, 2024