Jul 22, 2025

We’ve added support for Cascade Revocation in Native to Web SSO.

With this new capability, revoking the original refresh token used in a Native to Web flow will now automatically revoke all dependent web sessions and their issued refresh tokens.

This helps prevent stale or orphaned sessions and ensures that once the root token is no longer valid, all downstream access is properly revoked.

What’s new:

enable_cascade_revocation
When enabled, revoking a native app’s refresh token also revokes all web sessions and refresh tokens created via session_transfer_token.
enable_online_refresh_tokens
When enabled, refresh tokens issued during a Native to Web SSO flow are tied to the lifetime of their associated session (i.e., online tokens).

Default behavior:

Both of these settings are enabled by default, even when not explicitly configured.

This means:

All clients using Native to Web SSO today already benefit from cascade revocation.
Web-issued refresh tokens will automatically expire when their sessions expire.

You can manage or override these settings using the Auth0 Management API.

Why it matters:

This update provides stronger guarantees around token lifecycle and session integrity across platforms:

Prevents misuse of refresh tokens after logout or revocation
Reduces risk from long-lived sessions in embedded web views
Helps developers maintain a tighter, more secure cross-platform SSO experience

Learn more in our Native to Web SSO documentation

Auth0 is delighted to introduce Mexico as the latest AWS region for Private Cloud deployments.

This new region establishes our first Private Cloud presence in Mexico, directly addressing the needs of one of Latin America's largest and most dynamic digital economies. The addition of the Mexico region provides lower latency for customers throughout the country and helps meet local data residency and compliance requirements.

We remain committed to expanding our global footprint to serve our customers wherever they are in the world.

We’ve added support for Cascade Revocation in Native to Web SSO.

With this new capability, revoking the original refresh token used in a Native to Web flow will now automatically revoke all dependent web sessions and their issued refresh tokens.

This helps prevent stale or orphaned sessions and ensures that once the root token is no longer valid, all downstream access is properly revoked.

What’s new:

enable_cascade_revocation
When enabled, revoking a native app’s refresh token also revokes all web sessions and refresh tokens created via session_transfer_token.
enable_online_refresh_tokens
When enabled, refresh tokens issued during a Native to Web SSO flow are tied to the lifetime of their associated session (i.e., online tokens).

Default behavior:

Both of these settings are enabled by default, even when not explicitly configured.

This means:

All clients using Native to Web SSO today already benefit from cascade revocation.
Web-issued refresh tokens will automatically expire when their sessions expire.

You can manage or override these settings using the Auth0 Management API.

Why it matters:

This update provides stronger guarantees around token lifecycle and session integrity across platforms:

Prevents misuse of refresh tokens after logout or revocation
Reduces risk from long-lived sessions in embedded web views
Helps developers maintain a tighter, more secure cross-platform SSO experience

Learn more in our Native to Web SSO documentation

Auth0 is delighted to introduce Mexico as the latest AWS region for Private Cloud deployments.

This new region establishes our first Private Cloud presence in Mexico, directly addressing the needs of one of Latin America's largest and most dynamic digital economies. The addition of the Mexico region provides lower latency for customers throughout the country and helps meet local data residency and compliance requirements.

We remain committed to expanding our global footprint to serve our customers wherever they are in the world.

We’ve added support for Cascade Revocation in Native to Web SSO.

With this new capability, revoking the original refresh token used in a Native to Web flow will now automatically revoke all dependent web sessions and their issued refresh tokens.

This helps prevent stale or orphaned sessions and ensures that once the root token is no longer valid, all downstream access is properly revoked.

What’s new:

enable_cascade_revocation
When enabled, revoking a native app’s refresh token also revokes all web sessions and refresh tokens created via session_transfer_token.
enable_online_refresh_tokens
When enabled, refresh tokens issued during a Native to Web SSO flow are tied to the lifetime of their associated session (i.e., online tokens).

Default behavior:

Both of these settings are enabled by default, even when not explicitly configured.

This means:

All clients using Native to Web SSO today already benefit from cascade revocation.
Web-issued refresh tokens will automatically expire when their sessions expire.

You can manage or override these settings using the Auth0 Management API.

Why it matters:

This update provides stronger guarantees around token lifecycle and session integrity across platforms:

Prevents misuse of refresh tokens after logout or revocation
Reduces risk from long-lived sessions in embedded web views
Helps developers maintain a tighter, more secure cross-platform SSO experience

Learn more in our Native to Web SSO documentation

We’ve added support for Cascade Revocation in Native to Web SSO.

With this new capability, revoking the original refresh token used in a Native to Web flow will now automatically revoke all dependent web sessions and their issued refresh tokens.

This helps prevent stale or orphaned sessions and ensures that once the root token is no longer valid, all downstream access is properly revoked.

What’s new:

enable_cascade_revocation
When enabled, revoking a native app’s refresh token also revokes all web sessions and refresh tokens created via session_transfer_token.
enable_online_refresh_tokens
When enabled, refresh tokens issued during a Native to Web SSO flow are tied to the lifetime of their associated session (i.e., online tokens).

Default behavior:

Both of these settings are enabled by default, even when not explicitly configured.

This means:

All clients using Native to Web SSO today already benefit from cascade revocation.
Web-issued refresh tokens will automatically expire when their sessions expire.

You can manage or override these settings using the Auth0 Management API.

Why it matters:

This update provides stronger guarantees around token lifecycle and session integrity across platforms:

Prevents misuse of refresh tokens after logout or revocation
Reduces risk from long-lived sessions in embedded web views
Helps developers maintain a tighter, more secure cross-platform SSO experience

Learn more in our Native to Web SSO documentation

Auth0 is delighted to introduce Mexico as the latest AWS region for Private Cloud deployments.

This new region establishes our first Private Cloud presence in Mexico, directly addressing the needs of one of Latin America's largest and most dynamic digital economies. The addition of the Mexico region provides lower latency for customers throughout the country and helps meet local data residency and compliance requirements.

We remain committed to expanding our global footprint to serve our customers wherever they are in the world.

Jul 21, 2025

We are excited to introduce expanded passkey support for custom database connections! Now available without enabling import mode.

What’s New:

You can now enable passkey-based authentication for custom database connections without importing or trickle-migrating users into Auth0 (i.e., with import mode turned off).
End users can easily enroll in passkeys after their first successful login, requiring no prior passkey credentials in your external identity store.
Passkey credentials are securely stored in Auth0, while your external identity store continues to handle all other authentication logic.