We are excited to announce that the redesigned __Dashboard navigation and information architecture (IA)__ is now available in Beta. This update is the first step toward a more unified platform experience across Auth0, making it faster to find what you need and easier to act on everything across the platform. Alongside the IA changes, this beta also includes a significant visual refresh. ## What's in the Beta ### Flattened navigation - __Label-only group headers__ so every item is visible at a glance, reducing clicks and making pages faster to reach. - __Reorganized around common tasks__ to surface the pages you use most and match the way you actually work. - __External actions__ have moved out of the sidebar and into the top bar, keeping the sidebar focused on tenant configuration. ### Consolidated & renamed pages - __Related functionality grouped together__ to bring common tasks closer together. - __Clearer naming__ to better align functionality across the platform. ### Availability - Existing bookmarks and deep links will continue to work and you'll be automatically redirected to the new page. - This is a navigation, IA, and visual update only. All underlying functionality and APIs remain the same. ## Join the beta! If you're interested in joining the Dashboard Navigation & IA Refresh beta program, please send a request through the [Auth0 Support Center](https://support.auth0.com) or contact your Technical Account Manager (TAM) or Auth0 Sales Executive to help you out with the process.
Auth0 Changelog
We're excited to announce that __Dashboard Search for Applications__ is now available in Public Beta! Find your applications faster without scrolling through paginated lists.  __What's New:__ Dashboard users can now __search and filter applications__ in real time by application name, client ID, external client ID, metadata, application type, and first-party status. - __Multiple filter options__ — Combine up to 5 filters - __Guided filter menu__ with Boolean search logic - __Filters persist in URLs__ for sharing and bookmarking Rolling out progressively to Public Cloud tenants starting this week, with broader availability in the coming weeks. For detailed documentation on search capabilities, visit our [Product documentation](https://www.auth0.com/docs/get-started/auth0-overview/dashboard/search-and-filter-auth0-dashboard).
We're happy to announce that `strict` third-party applications now support machine-to-machine (M2M) access using the `client_credentials` grant type. As you expose your APIs to AI agents and partner backend services that operate without a user in the loop, you need those integrations to work within the same secure-by-default posture as the rest of your third-party application setup. This release makes that possible.  __What's included__: - `client_credentials` grant type support for `strict` third-party applications, available via the Management API and Dashboard. - Organization-scoped M2M access: `strict` third-party applications can request access tokens within the scope of a specific organization, with the same explicit grant requirements that apply to all M2M applications. Learn more about [M2M access for organizations](https://auth0.com/docs/manage-users/organizations/organizations-for-m2m-applications). - M2M access is intentionally restricted to applications created manually via the Management API or Dashboard. Applications registered via Dynamic Client Registration are excluded to prevent uncontrolled token issuance by unvetted third parties. To learn more, visit the [Third-Party Applications documentation](https://auth0.com/docs/get-started/applications/third-party-applications).
Boost Passkey adoption by enabling shared enrollment across subdomains. You can now customize the RP ID to allow a single Passkey to authenticate users across multiple applications under the same root domain. Now GA! Learn more: [Enable and Configure Passkey Authentication for Database Connections](https://auth0.com/docs/authenticate/database-connections/passkeys/configure-passkey-policy) [Native Passkeys for Mobile Applications](https://auth0.com/docs/authenticate/database-connections/passkeys/native-passkeys-for-mobile-applications) [Passkey Authentication for Database Connections](https://auth0.com/docs/authenticate/database-connections/passkeys) -
We're excited to announce the GA release of __Token Vault with Organization Support__! ISVs building multi-tenant B2B SaaS applications and agents on Auth0 Organizations can now use Token Vault to store and exchange third-party tokens within the context of each organization their users belong to. With this release, Token Vault exchanges and the Connected Accounts flow respect `org_id` end-to-end. Tokens are scoped to `(user, org_id)`, so each organization maintains its own token records for a given user and data isolation between organizations is preserved by default. Token Vault exchanges that do not carry an `org_id` claim continue to behave as before. For complete setup instructions and more, refer to our [documentation](https://auth0.com/docs/secure/call-apis-on-users-behalf/token-vault#use-with-organizations)..
We are excited to announce that we are adding __new Credentials Exchange Actions Access Token Scope Interfaces__ and they are now available in [__Early Access__](https://auth0.com/docs/troubleshoot/product-lifecycle/product-release-stages#early-access "Early Access"). These new interfaces allow you to customize the scopes to be considered when the access token is issued by writing __Credentials Exchange Actions__, considering the restrictions based on API and Client Grants definitions. __Early Access__ functionality includes: - __Add/Remove:__ New interfaces to add or remove target scopes from Credentials Exchange Actions. - __Set/Clear:__ Additional interfaces to clear or set target scopes from Credentials Exchange Actions without having to loop through the list of scopes. - __Read:__ The list of target scopes becomes available immediately after being transformed. - __Limits:__ Increased limits to handle up-to 1000 scopes for both __Credentials Exchange Actions__. - __Bonus:__ The limits were also increased for __Post Login Actions__. - __Docs:__ - __Event Object__: [https://auth0.com/docs/customize/actions/explore-triggers/machine-to-machine-trigger/credentials-exchange-event-object#param-target-scopes\](https://auth0.com/docs/customize/actions/explore-triggers/machine-to-machine-trigger/credentials-exchange-event-object#param-target-scopes "Event Object") - __API Object__: [https://auth0.com/docs/customize/actions/explore-triggers/machine-to-machine-trigger/credentials-exchange-api-object#api-transaction\](https://auth0.com/docs/customize/actions/explore-triggers/machine-to-machine-trigger/credentials-exchange-api-object#api-transaction "API Object")
We're excited to announce that __Custom Token Exchange now supports Delegated Authorization__. This release is available to all __Enterprise, B2B Professional, and B2C Professional customers__. Delegated Authorization covers scenarios where a principal (e.g. a human support agent, a backend service, an AI agent) performs actions in the context of a user. Unlike traditional impersonation where the actor's identity is lost, delegated authorization preserves both identities: the `sub` claim identifies the user being acted for, while a standards-based `act` claim (per [RFC 8693](https://www.rfc-editor.org/rfc/rfc8693.html)) identifies who is actually performing the action. Every token carries a verifiable record of the delegation. With the flexibility to define custom actor semantics and authorization logic via Actions, __customers now have the tools to address emerging access patterns, including agentic AI flows, alongside traditional delegation scenarios__ like support tooling and service-to-service chains. Key __highlights__ of this release: - Actor token parameters: Pass `actor_token` and `actor_token_type` to convey the acting party's credential - `setActor()` Action command: Developers explicitly control when and how delegation `act` claim is included in tokens via the new `setActor()` method - Auth0 ID tokens as actor tokens: Automatic validation when the actor is an Auth0-managed user - Audit trail: Actor identity captured in tenant logs for compliance and traceability - Nesting support: Up to 5 levels of delegation chains for multi-hop service scenarios To learn more, visit the [Custom Token Exchange documentation](https://auth0.com/docs/authenticate/custom-token-exchange). 
We have enhanced Tenant Access Control Lists (ACLs) to provide granular control over upstream proxy infrastructure and canonical domain routing. With this update, you can now isolate traffic by enforcing distinct rules on your canonical hostnames while keeping your user-facing custom domains open. ##### What's New? * **Canonical Hostname Routing** * Match access rules directly against your canonical hostnames. This allows you to lock down backend default domains while keeping customer-facing custom domains open and accessible to your users. * **Connecting IP Verification** * Define precise allowed IPv4 and IPv6 CIDR blocks for the infrastructure (such as reverse proxies or content delivery networks) connecting directly to the Auth0 edge. * **Expanded Attribute Quotas** * The limit for Tenant ACL attributes has been increased from 10 to 20 per signal, giving you the additional flexibility needed to scale complex, multi-domain configurations seamlessly. ##### Resources To learn more about Tenant ACLs, click [here](https://auth0.com/docs/secure/tenant-access-control-list)
Federated Logout is now generally available for OIDC and Okta enterprise connections. When a user logs out with `?federated` appended to the logout URL, Auth0 calls the upstream identity provider's `end_session_endpoint` to terminate the IdP session, closing the gap where a lingering IdP session could silently re-authenticate the user on their next login attempt. Note: if federated logout is attempted without providing an `end_session_endpoint`, federated logout will not be able to be completed, and a `federated_logout_failed` tenant log will be generated. The user will be successfully logged out of Auth0 and redirected back to the application, just as with a standard (non-federated) logout. With federated logout: - Auth0 takes the burden off customers by handling IdP session termination - Customers simply indicate if the IdP session should be ended when the Auth0 logout endpoint is reached — no extra setup needed for compliant IdPs - Employers and employees have peace of mind that their data is not accessible when they logout from their applications This feature is available on all plans that include enterprise connections. Read the [documentation](https://auth0.com/docs/authenticate/login/logout/log-users-out-of-idps ) to learn more.
Demonstrating Proof of Possession (DPoP) sender constraining for Enterprise Connections is now generally available. Customers can now establish Okta and OIDC Enterprise Connections with DPoP enabled on those connections. This is available on all plans with Enterprise Connections. DPoP for Enterprise Connections enables Auth0 to generate DPoP proofs when performing token exchange and calling userinfo endpoints on upstream OIDC and/or Okta connections. DPoP is a core building block of FAPI2 and IPSIE (Identity Proofing and Secure Identity Exchange) ecosystems. It provides a lightweight, standards-based way to enforce proof-of-possession (of a private key) without the operational overhead of mTLS token binding. Please see [product documentation](https://auth0.com/docs/authenticate/enterprise-connections/enable-dpop-enterprise-connections) for further details.
You can now delegate tenant-level user management with the **Tenant Manager** role. This allows you to offload day-to-day administrative tasks from Team Owners to dedicated managers, providing the autonomy they need without exposing sensitive configuration settings. **Key capabilities:** * **Independent administration:** Directly invite, update, and revoke tenant members without escalating to Team Owners. * **Scoped permissions:** Access is limited strictly to assigned tenants; sensitive configurations—such as connections and security logs—remain restricted to Team Owners. * **Audit trails:** All management actions are captured in Team Activity logs for full compliance and visibility. **Use cases:** * **Regional autonomy:** Empower regional leads to manage their own tenant members without granting visibility into other regional or global tenants. * **Separation of duties:** Delegate administrative tasks to specific departments while centralizing control of critical security settings at the account level. [Learn more about Teams Roles and Responsibilities](https://auth0.com/docs/get-started/auth0-teams/team-member-management#team-membership-role-comparison).
We have introduced a Dashboard configuration interface for Suspicious IP Throttling, specifically for Custom Token Exchange. This update allows administrators to easily set thresholds to throttle high-velocity traffic from suspicious IP addresses during the token exchange process. Learn more about Custom Token Exchange attack protection [here](https://auth0.com/docs/authenticate/custom-token-exchange/cte-attack-protection)
Non-Unique Emails is now Generally Available (GA) for all Auth0 customers. This feature allows multiple user accounts to share the same email address within a database connection, supporting real-world use cases like families, small businesses, and multi-role users who need separate accounts tied to the same email.
Key Details:
- Available on new database connections only (cannot be enabled on existing connections).
- Requires a different primary identifier (username or phone number) to uniquely distinguish users.
- All email communications (verification, password reset, etc.) are still sent to the shared email address.
- Once enabled on a connection, the non-unique email setting is permanent.
Documentation: Non-Unique Emails
Non-Unique Emails is now Generally Available (GA) for all Auth0 customers. This feature allows multiple user accounts to share the same email address within a database connection, supporting real-world use cases like families, small businesses, and multi-role users who need separate accounts tied to the same email.
Key Details:
- Available on new database connections only (cannot be enabled on existing connections).
- Requires a different primary identifier (username or phone number) to uniquely distinguish users.
- All email communications (verification, password reset, etc.) are still sent to the shared email address.
- Once enabled on a connection, the non-unique email setting is permanent.
Documentation: Non-Unique Emails
Auth0's ACR EA release empowers you to secure Account API token issuance by enforcing step-up authentication for sensitive scopes. Whether your users are managing their authentication factors via Universal Login or Embedded flows, you can now gate access through Actions-driven policies or enable a secure-by-default toggle. This ensures stronger security for self-service account management while maintaining a seamless experience for low-risk actions. Learn more here: API Settings Auth0 Docs My Account API Docs
Auth0's ACR EA release empowers you to secure Account API token issuance by enforcing step-up authentication for sensitive scopes. Whether your users are managing their authentication factors via Universal Login or Embedded flows, you can now gate access through Actions-driven policies or enable a secure-by-default toggle. This ensures stronger security for self-service account management while maintaining a seamless experience for low-risk actions. Learn more here: API Settings Auth0 Docs My Account API Docs
We are excited to announce that our new feature "Online refresh tokens" is now available to all customers in Beta. This powerful new feature is designed to simplify token management and modernize your application architecture, especially for Single Page Applications (SPAs) allowing you to bind refresh tokens to the sessions they originated from, which provides seamless and consistent continuation of a session when cookies are affected by the browser vendor behaviour across different applications.
What's in the Beta
✨ New configuration options
- Configure specific audiences to provide Online refresh tokens - online refresh tokens configuration is now available under the API > settings page
🔒 Applications Integration
- New scope — Request the new online_access scope to receive your online refresh tokens, which will be bound to the session
- Refresh tokens normally — Online refresh tokens will continue your application access while the session exists
- Revoke a session, revoke its refresh tokens — Once the session is revoked, all its online refresh tokens become invalid, too
🚀 Availability
- Since online refresh tokens lifecycle is entirely based on their underlying session, online refresh tokens can be issued only in OIDC flows that generate a valid session and can return refresh tokens
- Following OIDC standards, implicit sessions that do generate a session but shall not return a refresh token, will not provide online refresh tokens either
Documentation Links
Online refresh tokens documentation
Join the beta!
If you're interested in joining the online refresh token beta program, please send a request through the Auth0 Support Center or contact your Technical Account Manager (TAM) or Auth0 Sales Executive to help you out with the process
We are excited to announce that our new feature "Online refresh tokens" is now available to all customers in Beta. This powerful new feature is designed to simplify token management and modernize your application architecture, especially for Single Page Applications (SPAs) allowing you to bind refresh tokens to the sessions they originated from, which provides seamless and consistent continuation of a session when cookies are affected by the browser vendor behaviour across different applications.
What's in the Beta
✨ New configuration options
- Configure specific audiences to provide Online refresh tokens - online refresh tokens configuration is now available under the API > settings page
🔒 Applications Integration
- New scope — Request the new online_access scope to receive your online refresh tokens, which will be bound to the session
- Refresh tokens normally — Online refresh tokens will continue your application access while the session exists
- Revoke a session, revoke its refresh tokens — Once the session is revoked, all its online refresh tokens become invalid, too
🚀 Availability
- Since online refresh tokens lifecycle is entirely based on their underlying session, online refresh tokens can be issued only in OIDC flows that generate a valid session and can return refresh tokens
- Following OIDC standards, implicit sessions that do generate a session but shall not return a refresh token, will not provide online refresh tokens either
Documentation Links
Online refresh tokens documentation
Join the beta!
If you're interested in joining the online refresh token beta program, please send a request through the Auth0 Support Center or contact your Technical Account Manager (TAM) or Auth0 Sales Executive to help you out with the process
What's Changing:
We are fixing an issue where Auth0 was including an empty login_hint query parameter when redirecting users to external identity providers. Going forward, login_hint will only be included in the authorization request when a value is actually present.
Why This Matters: Some external OAuth providers strictly validate request parameters and reject authorization requests that contain empty parameter values. This caused authentication failures for customers whose upstream identity providers do not tolerate empty login_hint values — particularly in scenarios where customers do not control the external IdP and cannot modify its validation behavior.
Rollout Timing: This fix will be rolled out progressively over the next 1–2 weeks.
Action Required: No action is required from customers. If you previously implemented a workaround by overriding connection parameters to suppress the empty login_hint, you may optionally remove that override after confirming the fix is active in your environment.
We are excited to announce Auth for MCP is now Generally Available.
Auth for MCP gives you a straightforward way to add authentication and authorization to any MCP server, so you control exactly who gets access, and what they get access to. Implement authentication, CIMD registration, and OBO token exchange for AI agents.
Auth for MCP is a product capability that uses the combination of the following features:
Client ID Metadata (CIMD) Registration (GA)
For MCP clients to connect to MCP servers, they need to identify themselves. But how does a server trust a new client it's never seen? The MCP spec solves this by recommending the use of CIMD: each client hosts a document containing its metadata at a URL that identifies the client. In Auth0, tenant admins provide that URL, and Auth0 fetches the metadata, validates it, and displays it for confirmation before creating the client. You get control over which clients can access your MCP server ensuring no surprise registrations.
On-Behalf-Of Token Exchange (GA)
After a user's agent authenticates with an MCP server and issues a request, it needs to call another API like a Salesforce instance or HR system to finish the job. The question is: how does that second API know the request is legitimate and who it's actually for? On-Behalf-Of Token Exchange lets MCP servers trade the user’s access token for one that works with the downstream API, scoped correctly and still tied to the original user. No shared secrets, no service accounts with too much power. And full auditing and visibility into every action.
Resource Parameter Compatibility Mode (GA)
The MCP spec uses "resource" identifiers to indicate which server an agent wants to talk to, rather than the "audience" parameter that OAuth has traditionally used. Auth0 now supports this natively, allowing MCP implementations to stay spec-compliant without workarounds or translation layers.
Enhanced Security Controls for Third-Party Applications (GA)
As you open your APIs to AI agents, partners, and developer ecosystems, third-party applications need to be secure by default. The recently shipped Enhanced Security Controls gives third-party apps a production-ready, secure-by-default posture, with the control you need over what external applications can access.
