Auth0
Auth0 Changelog
Auth0 shipped a busy quarter mixing major GA releases with strategic expansions into B2B workflows and security hardening. Multi-Resource Refresh Tokens (MRRT) graduated to GA with dashboard controls and Client Grants integration, while DPoP support for Enterprise Connections entered early access alongside similar improvements for SAML/WS-Fed session handling. On the B2B front, Multiple Custom Domains reached GA to support multi-tenant login experiences, and the My Organization API with embeddable components entered early access to let SaaS developers ship delegated admin portals faster. Google Workspace directory sync capabilities expanded from initial EA (user sync) through partial group sync controls, while Actions Modules and Refresh Token Metadata landed in early access to deepen customization options. Security got sharper: JA4 signals integrated into Bot Detection, Credential Guard now covers breached phone credentials, and brute force protection blocks passwordless notifications for flagged users. The team also introduced a new Developer Preview release stage for paid features and expanded Akamai Supplemental Signals to post-login, post-challenge, and password-reset triggers for real-time risk decisions.
Auth0 advanced authentication flexibility and token security this month. The dashboard got a purpose-built editor for customizing signup and login screens with syntax highlighting and live preview, now supporting passkeys and custom database connections. On the security side, DPoP token binding graduated to GA on Enterprise plans, SAML and WS-Fed flows now rotate session IDs to align with OAuth2/OIDC practices (a breaking change for implementations storing session identifiers), and the new Spring Boot API SDK shipped with built-in JWT validation and DPoP support for Java 17+. Actions Transaction Metadata also reached GA, letting developers share custom data across post-login execution steps.