---
name: Auth0 Changelog
slug: auth0-changelog
type: feed
source_url: https://auth0.com/changelog
organization: Auth0
organization_slug: auth0
total_releases: 1034
latest_date: 2026-04-17
last_updated: 2026-04-18
tracking_since: 2024-09-25
canonical: https://releases.sh/auth0/auth0-changelog
organization_url: https://releases.sh/auth0
---
Auth0 shipped substantial changes across token management, B2B admin tools, and enterprise security in Q1 2026. Multi-Resource Refresh Tokens graduated from Early Access to GA, bringing dashboard configuration and Client Grants enforcement so teams can manage policies for multiple APIs from a single refresh token. The My Organization API and embeddable UI components launched in Early Access, providing B2B SaaS developers pre-built admin portals for organization and IdP management without custom frontend work. On the security side, DPoP for Enterprise Connections entered Early Access for Okta and OIDC upstream connections, while Akamai Supplemental Signals went GA across the full auth lifecycle, enabling bot detection at signup, registration, and password reset—moving threat assessment earlier in the pipeline. Multiple Custom Domains reached GA for Enterprise customers wanting multi-branded login flows from a single tenant, and the new Spring Boot API SDK shipped with built-in JWT validation and flexible DPoP enforcement modes for backend applications.
Auth0 advanced authentication flexibility and token security this month. The dashboard got a purpose-built editor for customizing signup and login screens with syntax highlighting and live preview, now supporting passkeys and custom database connections. On the security side, DPoP token binding graduated to GA on Enterprise plans, SAML and WS-Fed flows now rotate session IDs to align with OAuth2/OIDC practices (a breaking change for implementations storing session identifiers), and the new Spring Boot API SDK shipped with built-in JWT validation and DPoP support for Java 17+. Actions Transaction Metadata also reached GA, letting developers share custom data across post-login execution steps.
## Delegated Administration Extension
__v4.8.1 — Custom Domain Hook__
Added support for a new [Custom Domain Hook](https://auth0.com/docs/customize/extensions/delegated-administration-extension/delegated-administration-hooks/delegated-administration-custom-domain-hook) in the Delegated Administration Extension. This hook allows you to customize behavior when [Multiple Custom Domains](https://auth0.com/docs/customize/custom-domains/multiple-custom-domains) are in use.
__v4.8.3 — Compatibility fix for deprecation of enabled_clients on connections__
The extension has been updated to remove its dependency on the deprecated enabled_clients field on connections. If your tenant uses the Delegated Administration Extension, you may have been seeing deprecation warning errors in your tenant logs. This release resolves that.
__Action recommended before July 15:__ Auth0 is deprecating legacy management of a connection's enabled clients. See the [deprecation notice](https://auth0.com/docs/troubleshoot/product-lifecycle/deprecations-and-migrations#legacy-management-of-connection's-enabled-clients) for full details. Updating to v4.8.3 ensures the extension is compatible with this change.
__Upgrading__
Not on v4.8.x: Manually update the extension in your Auth0 tenant by navigating to Extensions → Installed Extensions, locating the Delegated Administration Extension, and clicking Update.
Already on v4.8.x: No action required — the patch has been automatically applied.
## Google Workspace Directory Sync for Groups - Expanded Early Access (EA)
We are excited to announce the next phase of our __Google Workspace Directory Sync for Groups__ Early Access!
Building on our initial Early Access [release](https://auth0.com/changelog#6WhEr0c0yB3K5oh7jiPADP), this update introduces __Partial Group Sync__, giving you exact control over which Enterprise Groups to import from your Google Workspace Directory into Auth0.
__What's new:__
- Targeted Group Sync: Instead of syncing your entire directory, you can now choose to synchronize only a specific subset of your Google Workspace groups. Easily manage your selected groups through either the Management Dashboard or Management API.
__How to join Early Access:__
To join the EA program, please complete the [EA Terms & Conditions form](https://forms.gle/9MK4hnQUW8AVfREZ9) and contact your Auth0 Account Team to request activation and supporting documentation.
## Multi-Resource Refresh Tokens (MRRT) is now Generally Available
Following the successful Early Access period that began on August 11, 2025, we are excited to announce that MRRT is now available to all customers with full production support. This is a powerful enhancement that simplifies token management and modernizes app architecture across both native and web platforms
---
### What's New in GA
#### ✨ Auth0 Dashboard Support
- **Configure MRRT policies directly in the Dashboard** — No more Management API-only configuration
- **Visual refresh token policy editor** — Easily add, remove, and modify audience/scope policies for your applications
- **Application settings integration** — MRRT configuration is now available under the Application > Settings page
#### 🔒 Enhanced Security with Client Grants Integration
- **Client Grants enforcement** — MRRT now respects Client Grants restrictions, ensuring applications can only request access tokens for APIs they are authorized to access
- **Improved validation** — Better error messages when attempting to configure unauthorized audience/scope combinations
#### 🐛 Bug Fixes and Improvements (based on EA feedback)
- Fixed: Token exchange now properly validates scopes against both MRRT policy and Resource Server definitions
- Fixed: Improved error handling when requesting access tokens for deleted or modified Resource Servers
- Fixed: `org_id` claim is now correctly preserved in access tokens when using MRRT with Organizations
- Fixed: Refresh token rotation works correctly when exchanging tokens for different audiences
- Improved: Better logging in tenant logs (`type: sertft`) for MRRT token exchanges
- Improved: More descriptive error messages for unauthorized audience requests
#### 📦 SDK Updates
- **iOS SDK (Auth0.swift)** — Full GA support
- **Android SDK (Auth0.Android)** — Full GA support
#### 🛠️ Developer Tooling
- **Auth0 CLI** — Full support for configuring MRRT policies
- **Terraform Provider** — Complete resource configuration for refresh token policies
- **Auth0 Deploy CLI** — Full support for managing MRRT configurations in deployment pipelines
## Documentation Links
- [Multi-Resource Refresh Token Overview](https://auth0.com/docs/secure/tokens/refresh-tokens/multi-resource-refresh-token)
- [Configure and Implement MRRT](https://auth0.com/docs/secure/tokens/refresh-tokens/multi-resource-refresh-token/configure-and-implement-multi-resource-refresh-token)
- [Management API - Update Client](https://auth0.com/docs/api/management/v2/clients/patch-clients-by-id)
## Early Access availability of DPoP sender constraining for Enterprise Connections
Demonstrating Proof of Possession (DPoP) sender constraining for Enterprise Connections is now available in Early Access. Customers can now establish Okta and OIDC Enterprise Connections with DPoP enabled on those connections. This is available on all plans with Enterprise Connections.
DPoP for Enterprise Connections enables Auth0 to generate DPoP proofs when performing token exchange and calling userinfo endpoints on upstream OIDC and/or Okta connections. DPoP is a core building block of FAPI2 and IPSIE (Identity Proofing and Secure Identity Exchange) ecosystems. It provides a lightweight, standards-based way to enforce proof-of-possession (of a private key) without the operational overhead of mTLS token binding.
Please see [product documentation](https://auth0.com/docs/authenticate/enterprise-connections/enable-dpop-enterprise-connections) for details.
## Universal Login — "Forgot Password" CTA updated to "Reset Password"
The call to action for the Universal Login forgot password flow has been updated from "Forgot Password" to "Reset Password." This aligns all Universal Login CTAs to be action-oriented. The updated text is available across all languages supported by Auth0. Customers who want to keep the original "Forgot Password" text can restore it via language customization at Branding > Universal Login > Edit text and translations.
Learn more: https://auth0.com/docs/customize/login-pages/universal-login/customize-text-elements
## My Organization API and Embeddable UI Components - Organization Details and IdP Management in Early Access!
We are excited to announce the __Early Access (EA)__ release of the __My Organization API__ and a library of __Embeddable UI Components for Organization Detail and Identity Provider Management__. Every B2B product needs an admin console for customers to manage their own members and security. This new feature set empowers B2B SaaS developers to deliver robust self-service experience for admins in a matter of days, not months.
The __My Organization API__ removes the need to build complex interfaces from scratch. With a secure governance layer that integrates seamlessly with your application, developers can easily deliver sophisticated, branded admin portals that meet the needs of even the largest customers without extra operational overhead.
__Key Highlights:__
__My Organization System API__: A purpose-built API designed for secure, scalable delegated administration, allowing customers to manage organization details and identity providers directly.
__Embeddable UI Components__: A library of white-label building blocks that can be dropped into any application to provide instant self-service management for SSO, domains, and members.
__Security-First Primitives__: Built-in support for cryptographically bound tokens via DPoP and automatic step-up authentication that triggers inline MFA for privileged actions.
__Intelligent Onboarding__: A new Dashboard-based onboarding wizard that simplifies configuration with safe defaults, automated entity setup, and a test environment.
__B2B Observability and Governance__: Enhanced tenant logs and per-organization rate limiting ensure full visibility into administrative actions while protecting tenant stability.
__Interactive Developer Tools__: A modernized API Explorer and extensive SDK support across multiple languages allow developers to integrate and test administrative activity at scale.
__Why This Matters:__
This release moves beyond simple API access to a unified governance layer for human and machine identity. Modern primitives like automatic least privilege ensures administrative sessions are always secure and context-aware. The result? Enterprise buyers can now get granular access levels and organization-specific rate limits they expect without the complexity of building custom backend middleware yourself.
This feature is available for all tenants. To begin, navigate to the __Applications > APIs __section of your Dashboard to activate the My Organization API.
To learn more, read the [My Organization API documentation](https://auth0.com/docs/manage-users/my-organization-api) and if you have any feedback, give us a shout in our community channel!
## Akamai Supplemental Signals is Now GA
__Auth0 Akamai Supplemental Signals is now GA__ and available across the full authentication lifecycle.
This update allows developers to ingest risk scores and edge intelligence from Akamai Bot Manager and Account Protector into several new Action triggers: __Pre-User Registration__, __Post-User Registration__, __Post-Challenge__, and __Post-Change Password__.
By integrating these signals directly into the Auth0 pipeline, organizations can stop automated bot signups before an account is created and enforce real-time security logic during critical events like password resets or MFA challenges.
To learn more about __Akamai Supplemental Signals__ and how to set it up review our online documentation [here](https://auth0.com/docs/secure/attack-protection/configure-akamai-supplemental-signals)
## My Organization API and Embeddable UI Components - Organization Details and IdP Management in Early Access!
We are excited to announce the __Early Access (EA)__ release of the __My Organization API__ and a library of __Embeddable UI Components for Organization Detail and Identity Provider Management__. Every B2B product needs an admin console for customers to manage their own members and security. This new feature set empowers B2B SaaS developers to deliver robust self-service experience for admins in a matter of days, not months.
The __My Organization API__ removes the need to build complex interfaces from scratch. With a secure governance layer that integrates seamlessly with your application, developers can easily deliver sophisticated, branded admin portals that meet the needs of even the largest customers without extra operational overhead.
__Key Highlights:__
__My Organization System API__: A purpose-built API designed for secure, scalable delegated administration, allowing customers to manage organization details and identity providers directly.
__Embeddable UI Components__: A library of white-label building blocks that can be dropped into any application to provide instant self-service management for SSO, domains, and members.
__Security-First Primitives__: Built-in support for cryptographically bound tokens via DPoP and automatic step-up authentication that triggers inline MFA for privileged actions.
__Intelligent Onboarding__: A new Dashboard-based onboarding wizard that simplifies configuration with safe defaults, automated entity setup, and a test environment.
__B2B Observability and Governance__: Enhanced tenant logs and per-organization rate limiting ensure full visibility into administrative actions while protecting tenant stability.
__Interactive Developer Tools__: A modernized API Explorer and extensive SDK support across multiple languages allow developers to integrate and test administrative activity at scale.
__Why This Matters:__
This release moves beyond simple API access to a unified governance layer for human and machine identity. Modern primitives like automatic least privilege ensures administrative sessions are always secure and context-aware. The result? Enterprise buyers can now get granular access levels and organization-specific rate limits they expect without the complexity of building custom backend middleware yourself.
This feature is available for all tenants. To begin, navigate to the __Applications > APIs __section of your Dashboard to activate the My Organization API.
To learn more, read the [My Organization API documentation](https://auth0.com/docs/manage-users/my-organization-api) and if you have any feedback, give us a shout in our community channel!
## Akamai Supplemental Signals is Now GA
__Auth0 Akamai Supplemental Signals is now GA__ and available across the full authentication lifecycle.
This update allows developers to ingest risk scores and edge intelligence from Akamai Bot Manager and Account Protector into several new Action triggers: __Pre-User Registration__, __Post-User Registration__, __Post-Challenge__, and __Post-Change Password__.
By integrating these signals directly into the Auth0 pipeline, organizations can stop automated bot signups before an account is created and enforce real-time security logic during critical events like password resets or MFA challenges.
To learn more about __Akamai Supplemental Signals__ and how to set it up review our online documentation [here](https://auth0.com/docs/secure/attack-protection/configure-akamai-supplemental-signals)
## Universal Login — "Forgot Password" CTA updated to "Reset Password"
The call to action for the Universal Login forgot password flow has been updated from "Forgot Password" to "Reset Password." This aligns all Universal Login CTAs to be action-oriented. The updated text is available across all languages supported by Auth0. Customers who want to keep the original "Forgot Password" text can restore it via language customization at Branding > Universal Login > Edit text and translations.
Learn more: https://auth0.com/docs/customize/login-pages/universal-login/customize-text-elements
## Akamai Supplemental Signals is Now GA
__Auth0 Akamai Supplemental Signals is now GA__ and available across the full authentication lifecycle.
This update allows developers to ingest risk scores and edge intelligence from Akamai Bot Manager and Account Protector into several new Action triggers: __Pre-User Registration__, __Post-User Registration__, __Post-Challenge__, and __Post-Change Password__.
By integrating these signals directly into the Auth0 pipeline, organizations can stop automated bot signups before an account is created and enforce real-time security logic during critical events like password resets or MFA challenges.
To learn more about __Akamai Supplemental Signals__ and how to set it up review our online documentation [here](https://auth0.com/docs/secure/attack-protection/configure-akamai-supplemental-signals)
## Universal Login — "Forgot Password" CTA updated to "Reset Password"
The call to action for the Universal Login forgot password flow has been updated from "Forgot Password" to "Reset Password." This aligns all Universal Login CTAs to be action-oriented. The updated text is available across all languages supported by Auth0. Customers who want to keep the original "Forgot Password" text can restore it via language customization at Branding > Universal Login > Edit text and translations.
Learn more: https://auth0.com/docs/customize/login-pages/universal-login/customize-text-elements
## My Organization API and Embeddable UI Components - Organization Details and IdP Management in Early Access!
We are excited to announce the __Early Access (EA)__ release of the __My Organization API__ and a library of __Embeddable UI Components for Organization Detail and Identity Provider Management__. Every B2B product needs an admin console for customers to manage their own members and security. This new feature set empowers B2B SaaS developers to deliver robust self-service experience for admins in a matter of days, not months.
The __My Organization API__ removes the need to build complex interfaces from scratch. With a secure governance layer that integrates seamlessly with your application, developers can easily deliver sophisticated, branded admin portals that meet the needs of even the largest customers without extra operational overhead.
__Key Highlights:__
__My Organization System API__: A purpose-built API designed for secure, scalable delegated administration, allowing customers to manage organization details and identity providers directly.
__Embeddable UI Components__: A library of white-label building blocks that can be dropped into any application to provide instant self-service management for SSO, domains, and members.
__Security-First Primitives__: Built-in support for cryptographically bound tokens via DPoP and automatic step-up authentication that triggers inline MFA for privileged actions.
__Intelligent Onboarding__: A new Dashboard-based onboarding wizard that simplifies configuration with safe defaults, automated entity setup, and a test environment.
__B2B Observability and Governance__: Enhanced tenant logs and per-organization rate limiting ensure full visibility into administrative actions while protecting tenant stability.
__Interactive Developer Tools__: A modernized API Explorer and extensive SDK support across multiple languages allow developers to integrate and test administrative activity at scale.
__Why This Matters:__
This release moves beyond simple API access to a unified governance layer for human and machine identity. Modern primitives like automatic least privilege ensures administrative sessions are always secure and context-aware. The result? Enterprise buyers can now get granular access levels and organization-specific rate limits they expect without the complexity of building custom backend middleware yourself.
This feature is available for all tenants. To begin, navigate to the __Applications > APIs __section of your Dashboard to activate the My Organization API.
To learn more, read the [My Organization API documentation](https://auth0.com/docs/manage-users/my-organization-api) and if you have any feedback, give us a shout in our community channel!
## Akamai Supplemental Signals is Now GA
__Auth0 Akamai Supplemental Signals is now GA__ and available across the full authentication lifecycle.
This update allows developers to ingest risk scores and edge intelligence from Akamai Bot Manager and Account Protector into several new Action triggers: __Pre-User Registration__, __Post-User Registration__, __Post-Challenge__, and __Post-Change Password__.
By integrating these signals directly into the Auth0 pipeline, organizations can stop automated bot signups before an account is created and enforce real-time security logic during critical events like password resets or MFA challenges.
To learn more about __Akamai Supplemental Signals__ and how to set it up review our online documentation [here](https://auth0.com/docs/secure/attack-protection/configure-akamai-supplemental-signals)
## Universal Login — "Forgot Password" CTA updated to "Reset Password"
The call to action for the Universal Login forgot password flow has been updated from "Forgot Password" to "Reset Password." This aligns all Universal Login CTAs to be action-oriented. The updated text is available across all languages supported by Auth0. Customers who want to keep the original "Forgot Password" text can restore it via language customization at Branding > Universal Login > Edit text and translations.
Learn more: https://auth0.com/docs/customize/login-pages/universal-login/customize-text-elements
## My Organization API and Embeddable UI Components - Organization Details and IdP Management in Early Access!
We are excited to announce the __Early Access (EA)__ release of the __My Organization API__ and a library of __Embeddable UI Components for Organization Detail and Identity Provider Management__. Every B2B product needs an admin console for customers to manage their own members and security. This new feature set empowers B2B SaaS developers to deliver robust self-service experience for admins in a matter of days, not months.
The __My Organization API__ removes the need to build complex interfaces from scratch. With a secure governance layer that integrates seamlessly with your application, developers can easily deliver sophisticated, branded admin portals that meet the needs of even the largest customers without extra operational overhead.
__Key Highlights:__
__My Organization System API__: A purpose-built API designed for secure, scalable delegated administration, allowing customers to manage organization details and identity providers directly.
__Embeddable UI Components__: A library of white-label building blocks that can be dropped into any application to provide instant self-service management for SSO, domains, and members.
__Security-First Primitives__: Built-in support for cryptographically bound tokens via DPoP and automatic step-up authentication that triggers inline MFA for privileged actions.
__Intelligent Onboarding__: A new Dashboard-based onboarding wizard that simplifies configuration with safe defaults, automated entity setup, and a test environment.
__B2B Observability and Governance__: Enhanced tenant logs and per-organization rate limiting ensure full visibility into administrative actions while protecting tenant stability.
__Interactive Developer Tools__: A modernized API Explorer and extensive SDK support across multiple languages allow developers to integrate and test administrative activity at scale.
__Why This Matters:__
This release moves beyond simple API access to a unified governance layer for human and machine identity. Modern primitives like automatic least privilege ensures administrative sessions are always secure and context-aware. The result? Enterprise buyers can now get granular access levels and organization-specific rate limits they expect without the complexity of building custom backend middleware yourself.
This feature is available for all tenants. To begin, navigate to the __Applications > APIs __section of your Dashboard to activate the My Organization API.
To learn more, read the [My Organization API documentation](https://auth0.com/docs/manage-users/my-organization-api) and if you have any feedback, give us a shout in our community channel!
## Akamai Supplemental Signals is Now GA
__Auth0 Akamai Supplemental Signals is now GA__ and available across the full authentication lifecycle.
This update allows developers to ingest risk scores and edge intelligence from Akamai Bot Manager and Account Protector into several new Action triggers: __Pre-User Registration__, __Post-User Registration__, __Post-Challenge__, and __Post-Change Password__.
By integrating these signals directly into the Auth0 pipeline, organizations can stop automated bot signups before an account is created and enforce real-time security logic during critical events like password resets or MFA challenges.
To learn more about __Akamai Supplemental Signals__ and how to set it up review our online documentation [here](https://auth0.com/docs/secure/attack-protection/configure-akamai-supplemental-signals)
## Universal Login — "Forgot Password" CTA updated to "Reset Password"
The call to action for the Universal Login forgot password flow has been updated from "Forgot Password" to "Reset Password." This aligns all Universal Login CTAs to be action-oriented. The updated text is available across all languages supported by Auth0. Customers who want to keep the original "Forgot Password" text can restore it via language customization at Branding > Universal Login > Edit text and translations.
Learn more: https://auth0.com/docs/customize/login-pages/universal-login/customize-text-elements
## My Organization API and Embeddable UI Components - Organization Details and IdP Management in Early Access!
We are excited to announce the __Early Access (EA)__ release of the __My Organization API__ and a library of __Embeddable UI Components for Organization Detail and Identity Provider Management__. Every B2B product needs an admin console for customers to manage their own members and security. This new feature set empowers B2B SaaS developers to deliver robust self-service experience for admins in a matter of days, not months.
The __My Organization API__ removes the need to build complex interfaces from scratch. With a secure governance layer that integrates seamlessly with your application, developers can easily deliver sophisticated, branded admin portals that meet the needs of even the largest customers without extra operational overhead.
__Key Highlights:__
__My Organization System API__: A purpose-built API designed for secure, scalable delegated administration, allowing customers to manage organization details and identity providers directly.
__Embeddable UI Components__: A library of white-label building blocks that can be dropped into any application to provide instant self-service management for SSO, domains, and members.
__Security-First Primitives__: Built-in support for cryptographically bound tokens via DPoP and automatic step-up authentication that triggers inline MFA for privileged actions.
__Intelligent Onboarding__: A new Dashboard-based onboarding wizard that simplifies configuration with safe defaults, automated entity setup, and a test environment.
__B2B Observability and Governance__: Enhanced tenant logs and per-organization rate limiting ensure full visibility into administrative actions while protecting tenant stability.
__Interactive Developer Tools__: A modernized API Explorer and extensive SDK support across multiple languages allow developers to integrate and test administrative activity at scale.
__Why This Matters:__
This release moves beyond simple API access to a unified governance layer for human and machine identity. Modern primitives like automatic least privilege ensures administrative sessions are always secure and context-aware. The result? Enterprise buyers can now get granular access levels and organization-specific rate limits they expect without the complexity of building custom backend middleware yourself.
This feature is available for all tenants. To begin, navigate to the __Applications > APIs __section of your Dashboard to activate the My Organization API.
To learn more, read the [My Organization API documentation](https://auth0.com/docs/manage-users/my-organization-api) and if you have any feedback, give us a shout in our community channel!
## Akamai Supplemental Signals is Now GA
__Auth0 Akamai Supplemental Signals is now GA__ and available across the full authentication lifecycle.
This update allows developers to ingest risk scores and edge intelligence from Akamai Bot Manager and Account Protector into several new Action triggers: __Pre-User Registration__, __Post-User Registration__, __Post-Challenge__, and __Post-Change Password__.
By integrating these signals directly into the Auth0 pipeline, organizations can stop automated bot signups before an account is created and enforce real-time security logic during critical events like password resets or MFA challenges.
To learn more about __Akamai Supplemental Signals__ and how to set it up review our online documentation [here](https://auth0.com/docs/secure/attack-protection/configure-akamai-supplemental-signals)