Dashboard Search for Roles is now available in Public Beta, letting users search Roles in real time by ID and name without scrolling paginated lists.
Auth0 Changelog
Third-party applications now work with Auth0 Organizations. Tenant admins can allow or block third-party app access on a per-organization basis, with access blocked by default so existing organizations remain unaffected until explicitly opted in. User consent is scoped per organization, so granting access in one organization does not carry over to another.
Auth0 now supports Google One Tap within the Universal Login prompt, allowing users to sign in with a single tap via a secure identity overlay without manual forms or page redirects.
Auth0 now supports the session_expiry claim for Okta and OIDC-based Enterprise connections, enforcing the minimum of the IdP claim, tenant absolute session expiration, and any expiry set via Actions. When a federated user's access expires at their identity provider, their Auth0 session terminates accordingly.
Auth0 Docs now includes an interactive Tenant Log Catalog where developers can explore Tenant Log event codes and schemas directly, replacing the need to reference flat code lists or GitHub repositories.
New Outbound SCIM Action template for Event Streams pushes user.created, user.updated, and user.deleted events to any SCIM 2.0-compliant downstream application. Includes a ready-to-copy Action template with built-in fault tolerance and template-driven attribute mapping.
Refresh Token Metadata is now generally available for Enterprise customers, allowing up to 25 custom key-value pairs per refresh token via setMetadata in Post-Login Actions and Management API endpoints.
Google Workspace Directory Sync for Groups is now available in Early Access with no enrolment required, adding native assignment of synced groups to Auth0 tenant-level RBAC roles and organization-specific roles.
Dashboard Search for APIs is now in Public Beta, letting users search APIs in real time by ID, identifier, or name without scrolling through paginated lists.
New API endpoints allow granular search and bulk revocation of refresh tokens. The GET endpoint retrieves refresh tokens by user ID or user ID and client ID. The POST endpoint supports revocation by IDs (up to 100), user ID, user ID + client ID, or user ID + client ID + audience. Contact your TAM or open a support ticket to enable this feature.
The machine learning model driving Bot Detection during signup has been updated to lower false-negative rates and intercept more automated traffic while keeping false-positive rates low for valid users. The model now delivers uniform detection accuracy across tenants of all sizes and rolls out automatically to Enterprise tenants with Attack Protection enabled.
Inbound SCIM for Enterprise Connections now supports mapping synced groups to Auth0 roles at tenant level or scoped to organizations, and enterprise customers can self-configure SCIM provisioning for groups directly. Users in synced groups automatically inherit assigned roles globally or workspace-scoped permissions at login when combined with Auto-Membership.
The redesigned dashboard navigation and information architecture is now available in beta, featuring flattened navigation with label-only group headers, pages reorganized around common tasks, and external actions moved to the top bar. Related functionality is grouped together with clearer naming. Existing bookmarks and deep links continue to work with automatic redirects, and all underlying functionality and APIs remain unchanged.
Strict third-party applications now support machine-to-machine access using the client_credentials grant type, including organization-scoped M2M access with explicit grant requirements. M2M access is restricted to applications created manually via the Management API or Dashboard; applications registered via Dynamic Client Registration are excluded.
Dashboard Search for Applications is now available in public beta, allowing users to search and filter applications in real time by name, client ID, external client ID, metadata, application type, and first-party status. Filters can be combined (up to 5), persist in URLs for sharing, and follow Boolean search logic.
You can now customize the RP ID to allow a single Passkey to authenticate users across multiple applications under the same root domain, enabling shared enrollment across subdomains.
Token Vault and the Connected Accounts flow now respect org_id end-to-end, scoping tokens to (user, org_id) pairs so each organization maintains isolated token records. Token Vault exchanges without an org_id claim continue to work as before.
New Credentials Exchange Actions interfaces let you customize scopes considered when the access token is issued, with add/remove and set/clear operations on target scopes. Scope limits increased to 1000 for Credentials Exchange Actions and Post Login Actions.
Custom Token Exchange now supports Delegated Authorization, allowing a principal (support agent, backend service, or AI agent) to perform actions in a user's context while preserving both identities via the standards-based act claim per RFC 8693. Features include actor token parameters, setActor() Action command for explicit delegation control, automatic validation of Auth0 ID tokens as actor tokens, audit trail capture, and support for up to 5 levels of delegation chains.
Tenant Access Control Lists now support matching access rules directly against canonical hostnames, allowing you to lock down backend default domains while keeping custom domains accessible. New connecting IP verification lets you define allowed IPv4 and IPv6 CIDR blocks for infrastructure connecting to the Auth0 edge, and the Tenant ACL attribute limit has increased from 10 to 20 per signal.


