Updated session handling in SAML-P and WS-Fed authentication flows to align with industry best practices and existing OAuth2/OIDC behavior. Following successful login via SAML-P or WS-Fed, the session ID will now be rotated and a new session cookie issued. Implementations that read or store session IDs across these flows should review and update their code to handle the new session ID.
We’re excited to announce that Google Workspace Directory Sync for Groups is now available in Early Access (EA)!
This enhancement enables the automatic and reliable sync of group structures and memberships from Google Workspace directly into Auth0 Enterprise Groups.
Key Highlights:
To join the EA program, please complete the EA Terms & Conditions form and contact your Auth0 Account Team to request activation and supporting documentation.
We’re excited to announce that Google Workspace Directory Sync for Groups is now available in Early Access (EA)!
This enhancement enables the automatic and reliable sync of group structures and memberships from Google Workspace directly into Auth0 Enterprise Groups.
Key Highlights:
To join the EA program, please complete the EA Terms & Conditions form and contact your Auth0 Account Team to request activation and supporting documentation.
We’re excited to announce that Google Workspace Directory Sync for Groups is now available in Early Access (EA)!
This enhancement enables the automatic and reliable sync of group structures and memberships from Google Workspace directly into Auth0 Enterprise Groups.
Key Highlights:
To join the EA program, please complete the EA Terms & Conditions form and contact your Auth0 Account Team to request activation and supporting documentation.
We’re excited to announce that Google Workspace Directory Sync for Groups is now available in Early Access (EA)!
This enhancement enables the automatic and reliable sync of group structures and memberships from Google Workspace directly into Auth0 Enterprise Groups.
Key Highlights:
To join the EA program, please complete the EA Terms & Conditions form and contact your Auth0 Account Team to request activation and supporting documentation.
We’re excited to announce that Google Workspace Directory Sync for Groups is now available in Early Access (EA)!
This enhancement enables the automatic and reliable sync of group structures and memberships from Google Workspace directly into Auth0 Enterprise Groups.
Key Highlights:
To join the EA program, please complete the EA Terms & Conditions form and contact your Auth0 Account Team to request activation and supporting documentation.
Released auth0-springboot-api, an official SDK for Spring Boot backend applications. Key benefits include support for Spring Boot 3.2+ (Java 17+), abstraction of JWT validation complexity with JWKS fetching and scope-to-authority mapping, and support for DPoP with flexible enforcement modes. Developers can secure an API by injecting Auth0AuthenticationFilter into their SecurityFilterChain.
Support for sender constraining tokens using Demonstrating Proof of Possession (DPoP) is now generally available on Enterprise plans.
Demonstrating Proof of Possession (DPoP) as defined in RFC9449, is an application level mechanism for binding tokens issued by Auth0 to the client application that requested that token. This is implemented using asymmetric key cryptography and with keys that are generated and managed by the client application - no public key infrastructure (PKI) is required.
Sender constraining tokens in this way using DPoP helps to:
Additional features since the EA release includes replay protection against client applications sending repeated DPoP proofs, and the ability to require DPoP for public clients only, or all clients.
A number of Auth0 SDKs have shipped with support for DPoP:
For more details, see the product documentation.
Support for sender constraining tokens using Demonstrating Proof of Possession (DPoP) is now generally available on Enterprise plans.
Demonstrating Proof of Possession (DPoP) as defined in RFC9449, is an application level mechanism for binding tokens issued by Auth0 to the client application that requested that token. This is implemented using asymmetric key cryptography and with keys that are generated and managed by the client application - no public key infrastructure (PKI) is required.
Sender constraining tokens in this way using DPoP helps to:
Additional features since the EA release includes replay protection against client applications sending repeated DPoP proofs, and the ability to require DPoP for public clients only, or all clients.
A number of Auth0 SDKs have shipped with support for DPoP:
For more details, see the product documentation.
Support for sender constraining tokens using Demonstrating Proof of Possession (DPoP) is now generally available on Enterprise plans.
Demonstrating Proof of Possession (DPoP) as defined in RFC9449, is an application level mechanism for binding tokens issued by Auth0 to the client application that requested that token. This is implemented using asymmetric key cryptography and with keys that are generated and managed by the client application - no public key infrastructure (PKI) is required.
Sender constraining tokens in this way using DPoP helps to:
Additional features since the EA release includes replay protection against client applications sending repeated DPoP proofs, and the ability to require DPoP for public clients only, or all clients.
A number of Auth0 SDKs have shipped with support for DPoP:
For more details, see the product documentation.
Support for sender constraining tokens using Demonstrating Proof of Possession (DPoP) is now generally available on Enterprise plans.
Demonstrating Proof of Possession (DPoP) as defined in RFC9449, is an application level mechanism for binding tokens issued by Auth0 to the client application that requested that token. This is implemented using asymmetric key cryptography and with keys that are generated and managed by the client application - no public key infrastructure (PKI) is required.
Sender constraining tokens in this way using DPoP helps to:
Additional features since the EA release includes replay protection against client applications sending repeated DPoP proofs, and the ability to require DPoP for public clients only, or all clients.
A number of Auth0 SDKs have shipped with support for DPoP:
For more details, see the product documentation.
Support for sender constraining tokens using Demonstrating Proof of Possession (DPoP) is now generally available on Enterprise plans.
Demonstrating Proof of Possession (DPoP) as defined in RFC9449, is an application level mechanism for binding tokens issued by Auth0 to the client application that requested that token. This is implemented using asymmetric key cryptography and with keys that are generated and managed by the client application - no public key infrastructure (PKI) is required.
Sender constraining tokens in this way using DPoP helps to:
Additional features since the EA release includes replay protection against client applications sending repeated DPoP proofs, and the ability to require DPoP for public clients only, or all clients.
A number of Auth0 SDKs have shipped with support for DPoP:
For more details, see the product documentation.
Google Workspace Directory Sync for Groups is now available in Early Access. Enables automatic and reliable sync of group structures and memberships from Google Workspace directly into Auth0 Enterprise Groups. Features include automated group synchronization, streamlined sync functionality, viewing groups in Auth0 Dashboard or Management API, sync groups outbound using Event streams, and use of group information in Post-Login Actions.
Boost Passkey adoption by enabling shared enrollment across subdomains. You can now customize the RP ID to allow a single Passkey to authenticate users across multiple applications under the same root domain.Currently in EA
Learn more about customizing RP ID for Passkeys:
Native Passkeys for Mobile Applications - Auth0 Docs - Native Passkeys for Mobile Applications
Passkeys - Auth0 Docs - Passkeys Docs
Boost Passkey adoption by enabling shared enrollment across subdomains. You can now customize the RP ID to allow a single Passkey to authenticate users across multiple applications under the same root domain.Currently in EA
Learn more about customizing RP ID for Passkeys:
Native Passkeys for Mobile Applications - Auth0 Docs - Native Passkeys for Mobile Applications
Passkeys - Auth0 Docs - Passkeys Docs
Boost Passkey adoption by enabling shared enrollment across subdomains. You can now customize the RP ID to allow a single Passkey to authenticate users across multiple applications under the same root domain.Currently in EA
Learn more about customizing RP ID for Passkeys:
Configure Passkey Policy - https://auth0.com/docs/authenticate/database-connections/passkeys/configure-passkey-policy
Native Passkeys for Mobile Applications - Auth0 Docs - https://auth0.com/docs/authenticate/database-connections/passkeys/native-passkeys-for-mobile-applications
Passkeys - Auth0 Docs - https://auth0.com/docs/authenticate/database-connections/passkeys
Boost Passkey adoption by enabling shared enrollment across subdomains. You can now customize the RP ID to allow a single Passkey to authenticate users across multiple applications under the same root domain.Currently in EA
Learn more about customizing RP ID for Passkeys:
Configure Passkey Policy - https://auth0.com/docs/authenticate/database-connections/passkeys/configure-passkey-policy
Native Passkeys for Mobile Applications - Auth0 Docs - https://auth0.com/docs/authenticate/database-connections/passkeys/native-passkeys-for-mobile-applications
Passkeys - Auth0 Docs - https://auth0.com/docs/authenticate/database-connections/passkeys
Boost Passkey adoption by enabling shared enrollment across subdomains. You can now customize the RP ID to allow a single Passkey to authenticate users across multiple applications under the same root domain.Currently in EA
Learn more about customizing RP ID for Passkeys:
Configure Passkey Policy - https://auth0.com/docs/authenticate/database-connections/passkeys/configure-passkey-policy
Native Passkeys for Mobile Applications - Auth0 Docs - https://auth0.com/docs/authenticate/database-connections/passkeys/native-passkeys-for-mobile-applications
Passkeys - Auth0 Docs - https://auth0.com/docs/authenticate/database-connections/passkeys
Support for sender constraining tokens using Demonstrating Proof of Possession (DPoP) as defined in RFC9449 is now generally available on Enterprise plans. DPoP binds tokens to the client application using asymmetric key cryptography. Additional features include replay protection and the ability to require DPoP for public clients or all clients. Multiple Auth0 SDKs have shipped with DPoP support for authentication, APIs/Resource Servers, and Management configurations.
You can now stream real-time metrics for Auth0 Management API usage and rate limit events directly to your observability platform.
These new metric streams give you detailed telemetry on every API request, including success/failure status, specific failure reasons like rate limits, and diagnostic data such as Client ID and request path. This allows you to proactively monitor for rate limit issues, troubleshoot API errors faster, and correlate Auth0 performance with your own application's health, all from within your existing monitoring tools.
We've included out-of-the-box support for Datadog, and you can connect to New Relic, Prometheus, and Splunk using OpenTelemetry.
This feature is now available in Beta. To get started, check out our Metric Streams documentation.