Auth0 Changelog

To strengthen defenses across the identity surface, we have added millions of breached phone credentials to our detection capabilities within Credential Guard

This enhancement allows organizations using Phone as an Identifier to proactively identify compromised credentials and trigger automated security responses, such as login blocks or password resets.

This expansion ensures that phone-based authentication is as secure as traditional email-based methods without impacting system performance.

For more information on Credential Guard, check out our online documentation.

We're excited to announce that Refresh Token Metadata is now available in Early Access for Enterprise customers.

Refresh Token Metadata allows you to attach custom key-value pairs to refresh tokens, enabling richer context storage and more personalized authentication experiences.

What's New

Store Custom Data on Refresh Tokens

You can now attach up to 25 custom key-value pairs to each refresh token. This metadata persists throughout the token's lifecycle and can be accessed or modified via the Management API.

// In Post-Login Action
exports.onExecutePostLogin = async (event, api) => {
  api.refreshToken.setMetadata('deviceName', event.request.user_agent);
  api.refreshToken.setMetadata('loginRegion', event.request.geoip?.countryCode);
  api.refreshToken.setMetadata('orgContext', event.organization?.id);
};

Management API Support

Access and manage refresh token metadata programmatically:

• GET /api/v2/refresh-tokens/{id} - Retrieve token with metadata
• PATCH /api/v2/refresh-tokens/{id} - Update token metadata
• DELETE /api/v2/refresh-tokens/{id} - Revoke token

Learn more about Refresh Token Metadata in our documentation

We're introducing Auth0 Agent Skills Beta- structured guidance that teaches AI coding assistants how to implement Auth0 authentication correctly across any framework.

Agent Skills are AI-native instructions that work with popular coding assistants like Claude Code, Codex, Gemini CLI, etc... They provide production-ready code patterns, security best practices, and step-by-step implementation flows directly within your development workflow.

Key Features

• Framework Coverage: Support for React, Next.js, Vue, Angular, Express, Nuxt, React Native, and more
• Security First: Built-in best practices for MFA, protected routes, and secure token handling
• Migration Support: Guided migration from Firebase Auth, AWS Cognito, Supabase, and other providers
• Easy Installation: Install via CLI (npx skills add auth0/agent-skills) or directly in Claude Code plugins
• Production Ready: Generate complete authentication implementations in minutes

Getting Started

• Install Auth0 Agent Skills: npx skills add auth0/agent-skills
• Then ask your AI assistant: "Add auth0 to my app" and you're ready to go.

Learn More

• auth0/agent-skills repo
• Documentation

Session Metadata allows you to attach custom key-value data to a user's session using Actions or the Auth0 Management API, persisting contextual data throughout the session lifecycle.

Key capabilities:

• Set and retrieve metadata in Actions via api.session.setMetadata() and event.session.metadata
• Manage metadata via Management API with GET and PATCH on /api/v2/sessions/{id}
• Delete individual keys or evict all metadata
• Include session metadata in OIDC Back-Channel Logout tokens

Limits:

• Maximum 25 key-value pairs per session
• Each key and value must be a string with max 255 characters
• Metadata stored as flat JSON object (no nesting)

Use Cases:

• Self-service device management
• Keep Me Signed In preferences
• Organization context persistence
• Audit and compliance tracking

No API or behavior changes from Early Access.

Added millions of breached phone credentials to Credential Guard detection capabilities, allowing organizations using Phone as an Identifier to identify compromised credentials and trigger automated security responses such as login blocks or password resets. This ensures phone-based authentication is as secure as email-based methods without impacting performance.

Refresh Token Metadata is now available in Early Access for Enterprise customers, allowing you to attach custom key-value pairs to refresh tokens for richer context storage and personalized authentication experiences.

What's New:

• Attach up to 25 custom key-value pairs to each refresh token
• Metadata persists throughout token's lifecycle
• Access and modify via Management API using GET, PATCH, and DELETE operations on /api/v2/refresh-tokens/{id}
• Set metadata in Post-Login Actions via api.refreshToken.setMetadata()

We’re excited to roll out a highly requested update to the mobile login experience! We know that every tap matters when it comes to user conversion, so we’ve eliminated a common friction point in the authentication journey.

Previously, users might have been met with a standard alphabetical keyboard when prompted for a code. Now, for all SMS and Email OTP challenges, mobile devices will automatically surface the numeric keyboard. This change spans 16+ touchpoints—including MFA enrollment, Passwordless login, and password resets—ensuring your authentication flow feels native, intuitive, and fast.

What do you need to do?

Nothing at all. This optimization is automatically enabled for all customers using the Universal Login experience. Your users are already enjoying a smoother, "fat-finger" proof login today!

Experience it yourself

Trigger an MFA challenge or Passwordless login from your mobile device to see the new flow in action.

• Visit your Dashboard

To provide a more robust defense against sophisticated automated threats, Auth0 has integrated JA4 signals into the core of our Bot Detection machine learning engine.

The addition of JA4 signals allows our models to surface and mitigate sophisticated automated threats that traditional signals often miss.

This enhanced security feature is available now to all Enterprise customers with the Attack Protection add-on. The rollout is currently underway and will be completed in the coming weeks, aligned with individual customer release schedules.

To learn more about Auth0's Bot Detection Product, click here

To provide a more robust defense against sophisticated automated threats, Auth0 has integrated JA4 signals into the core of our Bot Detection machine learning engine.

The addition of JA4 signals allows our models to surface and mitigate sophisticated automated threats that traditional signals often miss.

This enhanced security feature is available now to all Enterprise customers with the Attack Protection add-on. The rollout is currently underway and will be completed in the coming weeks, aligned with individual customer release schedules.

To learn more about Auth0's Bot Detection Product, click here

We’re excited to roll out a highly requested update to the mobile login experience! We know that every tap matters when it comes to user conversion, so we’ve eliminated a common friction point in the authentication journey.

Previously, users might have been met with a standard alphabetical keyboard when prompted for a code. Now, for all SMS and Email OTP challenges, mobile devices will automatically surface the numeric keyboard. This change spans 16+ touchpoints—including MFA enrollment, Passwordless login, and password resets—ensuring your authentication flow feels native, intuitive, and fast.

What do you need to do?

Nothing at all. This optimization is automatically enabled for all customers using the Universal Login experience. Your users are already enjoying a smoother, "fat-finger" proof login today!

Experience it yourself

Trigger an MFA challenge or Passwordless login from your mobile device to see the new flow in action.

• Visit your Dashboard

To provide a more robust defense against sophisticated automated threats, Auth0 has integrated JA4 signals into the core of our Bot Detection machine learning engine.

The addition of JA4 signals allows our models to surface and mitigate sophisticated automated threats that traditional signals often miss.

This enhanced security feature is available now to all Enterprise customers with the Attack Protection add-on. The rollout is currently underway and will be completed in the coming weeks, aligned with individual customer release schedules.

To learn more about Auth0's Bot Detection Product, click here

We’re excited to roll out a highly requested update to the mobile login experience! We know that every tap matters when it comes to user conversion, so we’ve eliminated a common friction point in the authentication journey.

Previously, users might have been met with a standard alphabetical keyboard when prompted for a code. Now, for all SMS and Email OTP challenges, mobile devices will automatically surface the numeric keyboard. This change spans 16+ touchpoints—including MFA enrollment, Passwordless login, and password resets—ensuring your authentication flow feels native, intuitive, and fast.

What do you need to do?

Nothing at all. This optimization is automatically enabled for all customers using the Universal Login experience. Your users are already enjoying a smoother, "fat-finger" proof login today!

Experience it yourself

Trigger an MFA challenge or Passwordless login from your mobile device to see the new flow in action.

• Visit your Dashboard

To provide a more robust defense against sophisticated automated threats, Auth0 has integrated JA4 signals into the core of our Bot Detection machine learning engine.

The addition of JA4 signals allows our models to surface and mitigate sophisticated automated threats that traditional signals often miss.

This enhanced security feature is available now to all Enterprise customers with the Attack Protection add-on. The rollout is currently underway and will be completed in the coming weeks, aligned with individual customer release schedules.

To learn more about Auth0's Bot Detection Product, click here

We’re excited to roll out a highly requested update to the mobile login experience! We know that every tap matters when it comes to user conversion, so we’ve eliminated a common friction point in the authentication journey.

Previously, users might have been met with a standard alphabetical keyboard when prompted for a code. Now, for all SMS and Email OTP challenges, mobile devices will automatically surface the numeric keyboard. This change spans 16+ touchpoints—including MFA enrollment, Passwordless login, and password resets—ensuring your authentication flow feels native, intuitive, and fast.

What do you need to do?

Nothing at all. This optimization is automatically enabled for all customers using the Universal Login experience. Your users are already enjoying a smoother, "fat-finger" proof login today!

Experience it yourself

Trigger an MFA challenge or Passwordless login from your mobile device to see the new flow in action.

• Visit your Dashboard

We’re excited to roll out a highly requested update to the mobile login experience! We know that every tap matters when it comes to user conversion, so we’ve eliminated a common friction point in the authentication journey.

Previously, users might have been met with a standard alphabetical keyboard when prompted for a code. Now, for all SMS and Email OTP challenges, mobile devices will automatically surface the numeric keyboard. This change spans 16+ touchpoints—including MFA enrollment, Passwordless login, and password resets—ensuring your authentication flow feels native, intuitive, and fast.

What do you need to do?

Nothing at all. This optimization is automatically enabled for all customers using the Universal Login experience. Your users are already enjoying a smoother, "fat-finger" proof login today!

Experience it yourself

Trigger an MFA challenge or Passwordless login from your mobile device to see the new flow in action.

• Visit your Dashboard

To provide a more robust defense against sophisticated automated threats, Auth0 has integrated JA4 signals into the core of our Bot Detection machine learning engine.

The addition of JA4 signals allows our models to surface and mitigate sophisticated automated threats that traditional signals often miss.

This enhanced security feature is available now to all Enterprise customers with the Attack Protection add-on. The rollout is currently underway and will be completed in the coming weeks, aligned with individual customer release schedules.

To learn more about Auth0's Bot Detection Product, click here

Integrated JA4 signals into the core Bot Detection machine learning engine to provide more robust defense against sophisticated automated threats. JA4 signals enable detection of sophisticated automated threats that traditional signals often miss. Available now to all Enterprise customers with the Attack Protection add-on, with rollout completion in the coming weeks aligned with individual customer release schedules.

Introducing Auth0 Agent Skills Beta - structured guidance that teaches AI coding assistants how to implement Auth0 authentication correctly across any framework.

Key Features:

• Framework Coverage: React, Next.js, Vue, Angular, Express, Nuxt, React Native, and more
• Security First: Built-in best practices for MFA, protected routes, and secure token handling
• Migration Support: Guided migration from Firebase Auth, AWS Cognito, Supabase, and other providers
• Easy Installation: Install via CLI (npx skills add auth0/agent-skills) or directly in Claude Code plugins
• Production Ready: Generate complete authentication implementations in minutes

We are pleased to announce that API Access Policies for Applications is now Generally Available (GA) for all Auth0 customers. This feature allows you to specifically control which applications can request access tokens for your APIs, covering both user and machine-to-machine access.

Previously available only via the Management API, these policies can now be fully configured directly within the Auth0 Dashboard. The new UI allows you to easily visualize and manage permissions per API, ensuring that only authorized applications can access sensitive resources.

Key Benefits:

• Granular Control: Define distinct access policies for user access vs. machine-to-machine access.
• Enhanced Security: Use the require_client_grant policy to ensure only explicitly authorized applications can obtain tokens for the subset of allowed permissions.
• Simplified Management: Configure these settings visually through the new Dashboard UI.

To learn more, navigate to Applications > APIs > Application Access in the dashboard or read our reference docs.

We’re pleased to announce that support for Groups within Auth0’s Inbound SCIM for Enterprise Connections feature is now in limited early access!

This release is useful for developers that support users and groups natively in their applications, and need to support integrations with Enterprise identity providers that use SCIM 2.0 to remotely manage these users and groups.

New group capabilities added:

• SCIM groups endpoint per connection - Each Enterprise connection gets dedicated SCIM /users and /groups endpoints and dedicated credentials that enable provisioning, de-provisioning, and management of the users and groups specific to that connection.

• Sync groups from Auth0 to external systems - Users and groups provisioned inbound to Auth0 can be synchronized outbound to external systems using Auth0’s Event streams feature.

• Use groups in the Post-Login Action - Use group information pushed from Enterprise identity providers in your Auth0 post-login actions to make access control and authorization decisions in Auth0.

• View groups in the Auth0 Dashboard - All groups provisioned using SCIM can be viewed in the Auth0 Dashboard under a new Enterprise Groups tab, as well as per user under the Users section.

How to get access

To join the Limited EA program and access SCIM Groups for Enterprise connections, complete the EA Terms & Conditions form and contact your Auth0 Account Team to request activation and supporting documentation.