We’ve improved our machine learning (ML) model for signup to deliver stronger protection against automated account creation while keeping friction low for legitimate users.
Note: This update applies only to the signup flow. There are no changes to the ML models used for bot detection in login or password reset flows.
Expanded detection signals:
The model now leverages user-agent–based signals, such as operating system and browser version data, to more accurately distinguish between human and automated signup attempts.
Smarter traffic classification:
An updated labeling strategy improves how the model differentiates between malicious and legitimate signup activity, helping it adapt more effectively to evolving attack patterns.
Optimized sensitivity settings:
Adjusted detection thresholds capture a broader range of bot activity while maintaining a low false positive rate, ensuring a smooth experience for valid users.
These enhancements strengthen the signup protection capabilities of Attack Protection, enabling more effective detection of automated signup attempts without adding unnecessary friction for real users.
The rollout is in progress for all Enterprise customers with the Attack Protection add-on and will complete over the coming weeks in line with individual release schedules.
For configuration guidance or to learn more about protecting your signup flows, please refer to our documentation or contact your account team.
To enhance security and mitigate risks of application impersonation and phishing attacks, we are recommending the transition to HTTPS-based callbacks using Android App Links and Apple Universal Links whenever possible. In addition, we are introducing a change in how the service handles custom URI schemes and loopback URI as callbacks.
More specifically, for authentication requests specifying a custom URI scheme or a loopback URI as the callback, we are introducing a login confirmation prompt used in scenarios that would previously return a response without requiring user interaction. For example, in a single sign-on (SSO) scenario, if authentication request requirements can be satisfied from an existing authenticated session, the service will display the new login confirmation prompt instead of seamlessly returning a response to the specified custom URI scheme / loopback URI callback.
Additionally, authentication requests including prompt=none will be rejected when Applications use non-verifiable callback URIs and are configured to use the new login confirmation prompt.
Review the User Confirmation Prompt section of Measures Against Application Impersonation to learn more about the new prompt.
Tenants created before October 15, 2025, maintain the previous behavior as the default until April 28, 2026. After the October cutoff date, newly created tenants may default to displaying the new login confirmation prompt with some exceptions due to each environment's deployment schedule. For any tenant maintaining the previous behavior, we recommend you opt in beforehand to use the new behavior. Alternatively, you can opt out of using the additional confirmation prompt if strictly required. Additional information on this situation is available at Migrate to Custom URI Scheme Redirect End-User Confirmation.
We’ve improved our machine learning (ML) model for signup to deliver stronger protection against automated account creation while keeping friction low for legitimate users.
Note: This update applies only to the signup flow. There are no changes to the ML models used for bot detection in login or password reset flows.
Expanded detection signals:
The model now leverages user-agent–based signals, such as operating system and browser version data, to more accurately distinguish between human and automated signup attempts.
Smarter traffic classification:
An updated labeling strategy improves how the model differentiates between malicious and legitimate signup activity, helping it adapt more effectively to evolving attack patterns.
Optimized sensitivity settings:
Adjusted detection thresholds capture a broader range of bot activity while maintaining a low false positive rate, ensuring a smooth experience for valid users.
These enhancements strengthen the signup protection capabilities of Attack Protection, enabling more effective detection of automated signup attempts without adding unnecessary friction for real users.
The rollout is in progress for all Enterprise customers with the Attack Protection add-on and will complete over the coming weeks in line with individual release schedules.
For configuration guidance or to learn more about protecting your signup flows, please refer to our documentation or contact your account team.
To enhance security and mitigate risks of application impersonation and phishing attacks, we are recommending the transition to HTTPS-based callbacks using Android App Links and Apple Universal Links whenever possible. In addition, we are introducing a change in how the service handles custom URI schemes and loopback URI as callbacks.
More specifically, for authentication requests specifying a custom URI scheme or a loopback URI as the callback, we are introducing a login confirmation prompt used in scenarios that would previously return a response without requiring user interaction. For example, in a single sign-on (SSO) scenario, if authentication request requirements can be satisfied from an existing authenticated session, the service will display the new login confirmation prompt instead of seamlessly returning a response to the specified custom URI scheme / loopback URI callback.
Additionally, authentication requests including prompt=none will be rejected when Applications use non-verifiable callback URIs and are configured to use the new login confirmation prompt.
Review the User Confirmation Prompt section of Measures Against Application Impersonation to learn more about the new prompt.
Tenants created before October 15, 2025, maintain the previous behavior as the default until April 28, 2026. After the October cutoff date, newly created tenants may default to displaying the new login confirmation prompt with some exceptions due to each environment's deployment schedule. For any tenant maintaining the previous behavior, we recommend you opt in beforehand to use the new behavior. Alternatively, you can opt out of using the additional confirmation prompt if strictly required. Additional information on this situation is available at Migrate to Custom URI Scheme Redirect End-User Confirmation.
We’ve improved our machine learning (ML) model for signup to deliver stronger protection against automated account creation while keeping friction low for legitimate users.
Note: This update applies only to the signup flow. There are no changes to the ML models used for bot detection in login or password reset flows.
Expanded detection signals:
The model now leverages user-agent–based signals, such as operating system and browser version data, to more accurately distinguish between human and automated signup attempts.
Smarter traffic classification:
An updated labeling strategy improves how the model differentiates between malicious and legitimate signup activity, helping it adapt more effectively to evolving attack patterns.
Optimized sensitivity settings:
Adjusted detection thresholds capture a broader range of bot activity while maintaining a low false positive rate, ensuring a smooth experience for valid users.
These enhancements strengthen the signup protection capabilities of Attack Protection, enabling more effective detection of automated signup attempts without adding unnecessary friction for real users.
The rollout is in progress for all Enterprise customers with the Attack Protection add-on and will complete over the coming weeks in line with individual release schedules.
For configuration guidance or to learn more about protecting your signup flows, please refer to our documentation or contact your account team.
To enhance security and mitigate risks of application impersonation and phishing attacks, we are recommending the transition to HTTPS-based callbacks using Android App Links and Apple Universal Links whenever possible. In addition, we are introducing a change in how the service handles custom URI schemes and loopback URI as callbacks.
More specifically, for authentication requests specifying a custom URI scheme or a loopback URI as the callback, we are introducing a login confirmation prompt used in scenarios that would previously return a response without requiring user interaction. For example, in a single sign-on (SSO) scenario, if authentication request requirements can be satisfied from an existing authenticated session, the service will display the new login confirmation prompt instead of seamlessly returning a response to the specified custom URI scheme / loopback URI callback.
Additionally, authentication requests including prompt=none will be rejected when Applications use non-verifiable callback URIs and are configured to use the new login confirmation prompt.
Review the User Confirmation Prompt section of Measures Against Application Impersonation to learn more about the new prompt.
Tenants created before October 15, 2025, maintain the previous behavior as the default until April 28, 2026. After the October cutoff date, newly created tenants may default to displaying the new login confirmation prompt with some exceptions due to each environment's deployment schedule. For any tenant maintaining the previous behavior, we recommend you opt in beforehand to use the new behavior. Alternatively, you can opt out of using the additional confirmation prompt if strictly required. Additional information on this situation is available at Migrate to Custom URI Scheme Redirect End-User Confirmation.
We’ve improved our machine learning (ML) model for signup to deliver stronger protection against automated account creation while keeping friction low for legitimate users.
Note: This update applies only to the signup flow. There are no changes to the ML models used for bot detection in login or password reset flows.
Expanded detection signals:
The model now leverages user-agent–based signals, such as operating system and browser version data, to more accurately distinguish between human and automated signup attempts.
Smarter traffic classification:
An updated labeling strategy improves how the model differentiates between malicious and legitimate signup activity, helping it adapt more effectively to evolving attack patterns.
Optimized sensitivity settings:
Adjusted detection thresholds capture a broader range of bot activity while maintaining a low false positive rate, ensuring a smooth experience for valid users.
These enhancements strengthen the signup protection capabilities of Attack Protection, enabling more effective detection of automated signup attempts without adding unnecessary friction for real users.
The rollout is in progress for all Enterprise customers with the Attack Protection add-on and will complete over the coming weeks in line with individual release schedules.
For configuration guidance or to learn more about protecting your signup flows, please refer to our documentation or contact your account team.
To enhance security and mitigate risks of application impersonation and phishing attacks, we are recommending the transition to HTTPS-based callbacks using Android App Links and Apple Universal Links whenever possible. In addition, we are introducing a change in how the service handles custom URI schemes and loopback URI as callbacks.
More specifically, for authentication requests specifying a custom URI scheme or a loopback URI as the callback, we are introducing a login confirmation prompt used in scenarios that would previously return a response without requiring user interaction. For example, in a single sign-on (SSO) scenario, if authentication request requirements can be satisfied from an existing authenticated session, the service will display the new login confirmation prompt instead of seamlessly returning a response to the specified custom URI scheme / loopback URI callback.
Additionally, authentication requests including prompt=none will be rejected when Applications use non-verifiable callback URIs and are configured to use the new login confirmation prompt.
Review the User Confirmation Prompt section of Measures Against Application Impersonation to learn more about the new prompt.
Tenants created before October 15, 2025, maintain the previous behavior as the default until April 28, 2026. After the October cutoff date, newly created tenants may default to displaying the new login confirmation prompt with some exceptions due to each environment's deployment schedule. For any tenant maintaining the previous behavior, we recommend you opt in beforehand to use the new behavior. Alternatively, you can opt out of using the additional confirmation prompt if strictly required. Additional information on this situation is available at Migrate to Custom URI Scheme Redirect End-User Confirmation.
As part of the Early Access launch of Event Streams, there is now an Events Catalog explorer available in Auth0 Docs to better guide you on the details of each Event -- including examples. The Event Streams feature allows you to discover completed changes to Auth0 Users and Organizations as they happen. You can do this by:
View the new Event Catalog Explorer here: https://auth0.com/docs/events/
Learn more about Event Streams here: https://auth0.com/docs/customize/events
As part of the Early Access launch of Event Streams, there is now an Events Catalog explorer available in Auth0 Docs to better guide you on the details of each Event -- including examples. The Event Streams feature allows you to discover completed changes to Auth0 Users and Organizations as they happen. You can do this by:
View the new Event Catalog Explorer here: https://auth0.com/docs/events/
Learn more about Event Streams here: https://auth0.com/docs/customize/events
As part of the Early Access launch of Event Streams, there is now an Events Catalog explorer available in Auth0 Docs to better guide you on the details of each Event -- including examples. The Event Streams feature allows you to discover completed changes to Auth0 Users and Organizations as they happen. You can do this by:
View the new Event Catalog Explorer here: https://auth0.com/docs/events/
Learn more about Event Streams here: https://auth0.com/docs/customize/events
As part of the Early Access launch of Event Streams, there is now an Events Catalog explorer available in Auth0 Docs to better guide you on the details of each Event -- including examples. The Event Streams feature allows you to discover completed changes to Auth0 Users and Organizations as they happen. You can do this by:
View the new Event Catalog Explorer here: https://auth0.com/docs/events/
Learn more about Event Streams here: https://auth0.com/docs/customize/events
As part of the Early Access launch of Event Streams, there is now an Events Catalog explorer available in Auth0 Docs to better guide you on the details of each Event -- including examples. The Event Streams feature allows you to discover completed changes to Auth0 Users and Organizations as they happen. You can do this by:
View the new Event Catalog Explorer here: https://auth0.com/docs/events/
Learn more about Event Streams here: https://auth0.com/docs/customize/events
FGA Logging API Now Generally Available
The Auth0 FGA Logging API is now Generally Available (GA). This dedicated endpoint provides a comprehensive audit trail for every interaction with the FGA system. You can now programmatically retrieve detailed logs for auditing, debugging, and monitoring.
The FGA Logging API is available for all paid-tier customers. For more information, please read the Auth0 FGA Logging API documentation.
FGA Logging API Now Generally Available
The Auth0 FGA Logging API is now Generally Available (GA). This dedicated endpoint provides a comprehensive audit trail for every interaction with the FGA system. You can now programmatically retrieve detailed logs for auditing, debugging, and monitoring.
The FGA Logging API is available for all paid-tier customers. For more information, please read the Auth0 FGA Logging API documentation.
FGA Logging API Now Generally Available
The Auth0 FGA Logging API is now Generally Available (GA). This dedicated endpoint provides a comprehensive audit trail for every interaction with the FGA system. You can now programmatically retrieve detailed logs for auditing, debugging, and monitoring.
The FGA Logging API is available for all paid-tier customers. For more information, please read the Auth0 FGA Logging API documentation.
FGA Logging API Now Generally Available
The Auth0 FGA Logging API is now Generally Available (GA). This dedicated endpoint provides a comprehensive audit trail for every interaction with the FGA system. You can now programmatically retrieve detailed logs for auditing, debugging, and monitoring.
The FGA Logging API is available for all paid-tier customers. For more information, please read the Auth0 FGA Logging API documentation.
FGA Logging API Now Generally Available
The Auth0 FGA Logging API is now Generally Available (GA). This dedicated endpoint provides a comprehensive audit trail for every interaction with the FGA system. You can now programmatically retrieve detailed logs for auditing, debugging, and monitoring.
The FGA Logging API is available for all paid-tier customers. For more information, please read the Auth0 FGA Logging API documentation.
The first public beta of the Auth0 Nuxt SDK is now available for developers building web apps on the Nuxt framework!
Here are the helpful resources to explore the new Nuxt SDK and get started:
This SDK is still in Beta and we need your feedback! Please share any feedback, questions or comments on GitHub.
The first public beta of the Auth0 Nuxt SDK is now available for developers building web apps on the Nuxt framework!
Here are the helpful resources to explore the new Nuxt SDK and get started:
This SDK is still in Beta and we need your feedback! Please share any feedback, questions or comments on GitHub.