releases.shpreview
Auth0/Auth0 Changelog

Auth0 Changelog

$npx -y @buildinternet/releases show auth0-changelog
Mon
Wed
Fri
AprMayJunJulAugSepOctNovDecJanFebMarApr
Less
More
Releases219Avg67/moVersionsv202547 → v202614
Feb 17, 2026

We’re excited to announce that we added Flows Auth0 Send SMS and Auth0 Make Call Actions!

This new feature allows you to send phone messages from Flows using the customized Phone Provider at your Auth0 Tenant.

What's new:

We’re excited to announce that we added Flows Auth0 Send SMS and Auth0 Make Call Actions!

This new feature allows you to send phone messages from Flows using the customized Phone Provider at your Auth0 Tenant.

What's new:

Feb 10, 2026

What's New

Session Metadata allows you to attach custom key–value data to a user's session using Actions or the Auth0 Management API. This enables you to persist contextual data throughout the session lifecycle, powering richer integrations, stronger audit trails, and personalized session behavior.

Key capabilities:

  • Set and retrieve metadata in Actions using api.session.setMetadata(key, value) and event.session.metadata
  • Manage metadata via Management API with GET and PATCH on /api/v2/sessions/{id}
  • Delete individual keys using api.session.deleteMetadata(key) or evict all metadata with api.session.evictMetadata()
  • Include session metadata in OIDC Back-Channel Logout tokens for downstream systems to receive context during logout events

Example usage in Actions:

exports.onExecutePostLogin = async (event, api) => {
  api.session.setMetadata("deviceName", event.request.user_agent);
  api.session.setMetadata("loginRegion", event.request.geoip?.countryCode);
  api.session.setMetadata("orgContext", event.organization?.id);
};

Limits:

  • Maximum of 25 key-value pairs per session
  • Each key and value must be a string with max 255 characters
  • Metadata is stored as a flat JSON object (no nesting)

Use Cases

  • Self-service device management: Store device names or login locations for user-facing session management UIs
  • Keep Me Signed In: Persist user preferences to customize session behavior
  • Organization context: Store organization information for multi-tenant applications
  • Audit and compliance: Include session context in logout tokens for downstream audit systems

Availability

Session Metadata is now Generally Available for all Enterprise tenants.

No API or behavior changes from Early Access.

Learn more

What's New

Session Metadata allows you to attach custom key–value data to a user's session using Actions or the Auth0 Management API. This enables you to persist contextual data throughout the session lifecycle, powering richer integrations, stronger audit trails, and personalized session behavior.

Key capabilities:

  • Set and retrieve metadata in Actions using api.session.setMetadata(key, value) and event.session.metadata
  • Manage metadata via Management API with GET and PATCH on /api/v2/sessions/{id}
  • Delete individual keys using api.session.deleteMetadata(key) or evict all metadata with api.session.evictMetadata()
  • Include session metadata in OIDC Back-Channel Logout tokens for downstream systems to receive context during logout events

Example usage in Actions:

exports.onExecutePostLogin = async (event, api) => {
  api.session.setMetadata("deviceName", event.request.user_agent);
  api.session.setMetadata("loginRegion", event.request.geoip?.countryCode);
  api.session.setMetadata("orgContext", event.organization?.id);
};

Limits:

  • Maximum of 25 key-value pairs per session
  • Each key and value must be a string with max 255 characters
  • Metadata is stored as a flat JSON object (no nesting)

Use Cases

  • Self-service device management: Store device names or login locations for user-facing session management UIs
  • Keep Me Signed In: Persist user preferences to customize session behavior
  • Organization context: Store organization information for multi-tenant applications
  • Audit and compliance: Include session context in logout tokens for downstream audit systems

Availability

Session Metadata is now Generally Available for all Enterprise tenants.

No API or behavior changes from Early Access.

Learn more

What's New

Session Metadata allows you to attach custom key–value data to a user's session using Actions or the Auth0 Management API. This enables you to persist contextual data throughout the session lifecycle, powering richer integrations, stronger audit trails, and personalized session behavior.

Key capabilities:

  • Set and retrieve metadata in Actions using api.session.setMetadata(key, value) and event.session.metadata
  • Manage metadata via Management API with GET and PATCH on /api/v2/sessions/{id}
  • Delete individual keys using api.session.deleteMetadata(key) or evict all metadata with api.session.evictMetadata()
  • Include session metadata in OIDC Back-Channel Logout tokens for downstream systems to receive context during logout events

Example usage in Actions:

exports.onExecutePostLogin = async (event, api) => {
  api.session.setMetadata("deviceName", event.request.user_agent);
  api.session.setMetadata("loginRegion", event.request.geoip?.countryCode);
  api.session.setMetadata("orgContext", event.organization?.id);
};

Limits:

  • Maximum of 25 key-value pairs per session
  • Each key and value must be a string with max 255 characters
  • Metadata is stored as a flat JSON object (no nesting)

Use Cases

  • Self-service device management: Store device names or login locations for user-facing session management UIs
  • Keep Me Signed In: Persist user preferences to customize session behavior
  • Organization context: Store organization information for multi-tenant applications
  • Audit and compliance: Include session context in logout tokens for downstream audit systems

Availability

Session Metadata is now Generally Available for all Enterprise tenants.

No API or behavior changes from Early Access.

Learn more

What's New

Session Metadata allows you to attach custom key–value data to a user's session using Actions or the Auth0 Management API. This enables you to persist contextual data throughout the session lifecycle, powering richer integrations, stronger audit trails, and personalized session behavior.

Key capabilities:

  • Set and retrieve metadata in Actions using api.session.setMetadata(key, value) and event.session.metadata
  • Manage metadata via Management API with GET and PATCH on /api/v2/sessions/{id}
  • Delete individual keys using api.session.deleteMetadata(key) or evict all metadata with api.session.evictMetadata()
  • Include session metadata in OIDC Back-Channel Logout tokens for downstream systems to receive context during logout events

Example usage in Actions:

exports.onExecutePostLogin = async (event, api) => {
  api.session.setMetadata("deviceName", event.request.user_agent);
  api.session.setMetadata("loginRegion", event.request.geoip?.countryCode);
  api.session.setMetadata("orgContext", event.organization?.id);
};

Limits:

  • Maximum of 25 key-value pairs per session
  • Each key and value must be a string with max 255 characters
  • Metadata is stored as a flat JSON object (no nesting)

Use Cases

  • Self-service device management: Store device names or login locations for user-facing session management UIs
  • Keep Me Signed In: Persist user preferences to customize session behavior
  • Organization context: Store organization information for multi-tenant applications
  • Audit and compliance: Include session context in logout tokens for downstream audit systems

Availability

Session Metadata is now Generally Available for all Enterprise tenants.

No API or behavior changes from Early Access.

Learn more

What's New

Session Metadata allows you to attach custom key–value data to a user's session using Actions or the Auth0 Management API. This enables you to persist contextual data throughout the session lifecycle, powering richer integrations, stronger audit trails, and personalized session behavior.

Key capabilities:

  • Set and retrieve metadata in Actions using api.session.setMetadata(key, value) and event.session.metadata
  • Manage metadata via Management API with GET and PATCH on /api/v2/sessions/{id}
  • Delete individual keys using api.session.deleteMetadata(key) or evict all metadata with api.session.evictMetadata()
  • Include session metadata in OIDC Back-Channel Logout tokens for downstream systems to receive context during logout events

Example usage in Actions:

exports.onExecutePostLogin = async (event, api) => {
  api.session.setMetadata("deviceName", event.request.user_agent);
  api.session.setMetadata("loginRegion", event.request.geoip?.countryCode);
  api.session.setMetadata("orgContext", event.organization?.id);
};

Limits:

  • Maximum of 25 key-value pairs per session
  • Each key and value must be a string with max 255 characters
  • Metadata is stored as a flat JSON object (no nesting)

Use Cases

  • Self-service device management: Store device names or login locations for user-facing session management UIs
  • Keep Me Signed In: Persist user preferences to customize session behavior
  • Organization context: Store organization information for multi-tenant applications
  • Audit and compliance: Include session context in logout tokens for downstream audit systems

Availability

Session Metadata is now Generally Available for all Enterprise tenants.

No API or behavior changes from Early Access.

Learn more

Forms - Flows Auth0 Send SMS and Auth0 Make Call Actions

Added Flows Auth0 Send SMS and Auth0 Make Call Actions, allowing you to send phone messages from Flows using customized Phone Providers at your Auth0 Tenant.

What's new:

  • Support for configured phone providers at your Auth0 Tenant
  • Custom Phone Provider Action for unsupported providers
  • Customizable Send SMS and Make Call Actions with properties like from, to, message, and variables
  • Liquid syntax support for phone messages
Feb 6, 2026

We're introducing Auth0 Agent Skills Beta- structured guidance that teaches AI coding assistants how to implement Auth0 authentication correctly across any framework.

Agent Skills are AI-native instructions that work with popular coding assistants like Claude Code, Codex, Gemini CLI, etc... They provide production-ready code patterns, security best practices, and step-by-step implementation flows directly within your development workflow.

Key Features

  • Framework Coverage: Support for React, Next.js, Vue, Angular, Express, Nuxt, React Native, and more
  • Security First: Built-in best practices for MFA, protected routes, and secure token handling
  • Migration Support: Guided migration from Firebase Auth, AWS Cognito, Supabase, and other providers
  • Easy Installation: Install via CLI (npx skills add auth0/agent-skills) or directly in Claude Code plugins
  • Production Ready: Generate complete authentication implementations in minutes

Getting Started

  • Install Auth0 Agent Skills: npx skills add auth0/agent-skills
  • Then ask your AI assistant: "Add auth0 to my app" and you're ready to go.

Learn More

We're excited to announce that Refresh Token Metadata is now available in Early Access for Enterprise customers.

Refresh Token Metadata allows you to attach custom key-value pairs to refresh tokens, enabling richer context storage and more personalized authentication experiences.

What's New

Store Custom Data on Refresh Tokens

You can now attach up to 25 custom key-value pairs to each refresh token. This metadata persists throughout the token's lifecycle and can be accessed or modified via the Management API.

// In Post-Login Action
exports.onExecutePostLogin = async (event, api) => {
  api.refreshToken.setMetadata('deviceName', event.request.user_agent);
  api.refreshToken.setMetadata('loginRegion', event.request.geoip?.countryCode);
  api.refreshToken.setMetadata('orgContext', event.organization?.id);
};

Management API Support

Access and manage refresh token metadata programmatically:

  • GET /api/v2/refresh-tokens/{id} - Retrieve token with metadata
  • PATCH /api/v2/refresh-tokens/{id} - Update token metadata
  • DELETE /api/v2/refresh-tokens/{id} - Revoke token

Learn more about Refresh Token Metadata in our documentation

To strengthen defenses across the identity surface, we have added millions of breached phone credentials to our detection capabilities within Credential Guard

This enhancement allows organizations using Phone as an Identifier to proactively identify compromised credentials and trigger automated security responses, such as login blocks or password resets.

This expansion ensures that phone-based authentication is as secure as traditional email-based methods without impacting system performance.

For more information on Credential Guard, check out our online documentation.

We're introducing Auth0 Agent Skills Beta- structured guidance that teaches AI coding assistants how to implement Auth0 authentication correctly across any framework.

Agent Skills are AI-native instructions that work with popular coding assistants like Claude Code, Codex, Gemini CLI, etc... They provide production-ready code patterns, security best practices, and step-by-step implementation flows directly within your development workflow.

Key Features

  • Framework Coverage: Support for React, Next.js, Vue, Angular, Express, Nuxt, React Native, and more
  • Security First: Built-in best practices for MFA, protected routes, and secure token handling
  • Migration Support: Guided migration from Firebase Auth, AWS Cognito, Supabase, and other providers
  • Easy Installation: Install via CLI (npx skills add auth0/agent-skills) or directly in Claude Code plugins
  • Production Ready: Generate complete authentication implementations in minutes

Getting Started

  • Install Auth0 Agent Skills: npx skills add auth0/agent-skills
  • Then ask your AI assistant: "Add auth0 to my app" and you're ready to go.

Learn More

We're excited to announce that Refresh Token Metadata is now available in Early Access for Enterprise customers.

Refresh Token Metadata allows you to attach custom key-value pairs to refresh tokens, enabling richer context storage and more personalized authentication experiences.

What's New

Store Custom Data on Refresh Tokens

You can now attach up to 25 custom key-value pairs to each refresh token. This metadata persists throughout the token's lifecycle and can be accessed or modified via the Management API.

// In Post-Login Action
exports.onExecutePostLogin = async (event, api) => {
  api.refreshToken.setMetadata('deviceName', event.request.user_agent);
  api.refreshToken.setMetadata('loginRegion', event.request.geoip?.countryCode);
  api.refreshToken.setMetadata('orgContext', event.organization?.id);
};

Management API Support

Access and manage refresh token metadata programmatically:

  • GET /api/v2/refresh-tokens/{id} - Retrieve token with metadata
  • PATCH /api/v2/refresh-tokens/{id} - Update token metadata
  • DELETE /api/v2/refresh-tokens/{id} - Revoke token

Learn more about Refresh Token Metadata in our documentation

To strengthen defenses across the identity surface, we have added millions of breached phone credentials to our detection capabilities within Credential Guard

This enhancement allows organizations using Phone as an Identifier to proactively identify compromised credentials and trigger automated security responses, such as login blocks or password resets.

This expansion ensures that phone-based authentication is as secure as traditional email-based methods without impacting system performance.

For more information on Credential Guard, check out our online documentation.

We're introducing Auth0 Agent Skills Beta- structured guidance that teaches AI coding assistants how to implement Auth0 authentication correctly across any framework.

Agent Skills are AI-native instructions that work with popular coding assistants like Claude Code, Codex, Gemini CLI, etc... They provide production-ready code patterns, security best practices, and step-by-step implementation flows directly within your development workflow.

Key Features

  • Framework Coverage: Support for React, Next.js, Vue, Angular, Express, Nuxt, React Native, and more
  • Security First: Built-in best practices for MFA, protected routes, and secure token handling
  • Migration Support: Guided migration from Firebase Auth, AWS Cognito, Supabase, and other providers
  • Easy Installation: Install via CLI (npx skills add auth0/agent-skills) or directly in Claude Code plugins
  • Production Ready: Generate complete authentication implementations in minutes

Getting Started

  • Install Auth0 Agent Skills: npx skills add auth0/agent-skills
  • Then ask your AI assistant: "Add auth0 to my app" and you're ready to go.

Learn More

We're excited to announce that Refresh Token Metadata is now available in Early Access for Enterprise customers.

Refresh Token Metadata allows you to attach custom key-value pairs to refresh tokens, enabling richer context storage and more personalized authentication experiences.

What's New

Store Custom Data on Refresh Tokens

You can now attach up to 25 custom key-value pairs to each refresh token. This metadata persists throughout the token's lifecycle and can be accessed or modified via the Management API.

// In Post-Login Action
exports.onExecutePostLogin = async (event, api) => {
  api.refreshToken.setMetadata('deviceName', event.request.user_agent);
  api.refreshToken.setMetadata('loginRegion', event.request.geoip?.countryCode);
  api.refreshToken.setMetadata('orgContext', event.organization?.id);
};

Management API Support

Access and manage refresh token metadata programmatically:

  • GET /api/v2/refresh-tokens/{id} - Retrieve token with metadata
  • PATCH /api/v2/refresh-tokens/{id} - Update token metadata
  • DELETE /api/v2/refresh-tokens/{id} - Revoke token

Learn more about Refresh Token Metadata in our documentation

To strengthen defenses across the identity surface, we have added millions of breached phone credentials to our detection capabilities within Credential Guard

This enhancement allows organizations using Phone as an Identifier to proactively identify compromised credentials and trigger automated security responses, such as login blocks or password resets.

This expansion ensures that phone-based authentication is as secure as traditional email-based methods without impacting system performance.

For more information on Credential Guard, check out our online documentation.

We're introducing Auth0 Agent Skills Beta- structured guidance that teaches AI coding assistants how to implement Auth0 authentication correctly across any framework.

Agent Skills are AI-native instructions that work with popular coding assistants like Claude Code, Codex, Gemini CLI, etc... They provide production-ready code patterns, security best practices, and step-by-step implementation flows directly within your development workflow.

Key Features

  • Framework Coverage: Support for React, Next.js, Vue, Angular, Express, Nuxt, React Native, and more
  • Security First: Built-in best practices for MFA, protected routes, and secure token handling
  • Migration Support: Guided migration from Firebase Auth, AWS Cognito, Supabase, and other providers
  • Easy Installation: Install via CLI (npx skills add auth0/agent-skills) or directly in Claude Code plugins
  • Production Ready: Generate complete authentication implementations in minutes

Getting Started

  • Install Auth0 Agent Skills: npx skills add auth0/agent-skills
  • Then ask your AI assistant: "Add auth0 to my app" and you're ready to go.

Learn More

We're excited to announce that Refresh Token Metadata is now available in Early Access for Enterprise customers.

Refresh Token Metadata allows you to attach custom key-value pairs to refresh tokens, enabling richer context storage and more personalized authentication experiences.

What's New

Store Custom Data on Refresh Tokens

You can now attach up to 25 custom key-value pairs to each refresh token. This metadata persists throughout the token's lifecycle and can be accessed or modified via the Management API.

// In Post-Login Action
exports.onExecutePostLogin = async (event, api) => {
  api.refreshToken.setMetadata('deviceName', event.request.user_agent);
  api.refreshToken.setMetadata('loginRegion', event.request.geoip?.countryCode);
  api.refreshToken.setMetadata('orgContext', event.organization?.id);
};

Management API Support

Access and manage refresh token metadata programmatically:

  • GET /api/v2/refresh-tokens/{id} - Retrieve token with metadata
  • PATCH /api/v2/refresh-tokens/{id} - Update token metadata
  • DELETE /api/v2/refresh-tokens/{id} - Revoke token

Learn more about Refresh Token Metadata in our documentation

To strengthen defenses across the identity surface, we have added millions of breached phone credentials to our detection capabilities within Credential Guard

This enhancement allows organizations using Phone as an Identifier to proactively identify compromised credentials and trigger automated security responses, such as login blocks or password resets.

This expansion ensures that phone-based authentication is as secure as traditional email-based methods without impacting system performance.

For more information on Credential Guard, check out our online documentation.

Previous56789Next
Latest
Apr 17, 2026
Source
auth0.com/changelog
Tracking Since
Sep 25, 2024
Last fetched Apr 18, 2026
.json·.md·.atom