Refresh Token Metadata is now generally available for Enterprise customers, allowing up to 25 custom key-value pairs per refresh token via setMetadata in Post-Login Actions and Management API endpoints.
Google Workspace Directory Sync for Groups is now available in Early Access with no enrolment required, adding native assignment of synced groups to Auth0 tenant-level RBAC roles and organization-specific roles.
Dashboard Search for APIs is now in Public Beta, letting users search APIs in real time by ID, identifier, or name without scrolling through paginated lists.
New API endpoints allow granular search and bulk revocation of refresh tokens. The GET endpoint retrieves refresh tokens by user ID or user ID and client ID. The POST endpoint supports revocation by IDs (up to 100), user ID, user ID + client ID, or user ID + client ID + audience. Contact your TAM or open a support ticket to enable this feature.
The machine learning model driving Bot Detection during signup has been updated to lower false-negative rates and intercept more automated traffic while keeping false-positive rates low for valid users. The model now delivers uniform detection accuracy across tenants of all sizes and rolls out automatically to Enterprise tenants with Attack Protection enabled.
Inbound SCIM for Enterprise Connections now supports mapping synced groups to Auth0 roles at tenant level or scoped to organizations, and enterprise customers can self-configure SCIM provisioning for groups directly. Users in synced groups automatically inherit assigned roles globally or workspace-scoped permissions at login when combined with Auto-Membership.
The redesigned dashboard navigation and information architecture is now available in beta, featuring flattened navigation with label-only group headers, pages reorganized around common tasks, and external actions moved to the top bar. Related functionality is grouped together with clearer naming. Existing bookmarks and deep links continue to work with automatic redirects, and all underlying functionality and APIs remain unchanged.
Dashboard Search for Applications is now available in public beta, allowing users to search and filter applications in real time by name, client ID, external client ID, metadata, application type, and first-party status. Filters can be combined (up to 5), persist in URLs for sharing, and follow Boolean search logic.
Strict third-party applications now support machine-to-machine access using the client_credentials grant type, including organization-scoped M2M access with explicit grant requirements. M2M access is restricted to applications created manually via the Management API or Dashboard; applications registered via Dynamic Client Registration are excluded.
You can now customize the RP ID to allow a single Passkey to authenticate users across multiple applications under the same root domain, enabling shared enrollment across subdomains.
Token Vault and the Connected Accounts flow now respect org_id end-to-end, scoping tokens to (user, org_id) pairs so each organization maintains isolated token records. Token Vault exchanges without an org_id claim continue to work as before.
New Credentials Exchange Actions interfaces let you customize scopes considered when the access token is issued, with add/remove and set/clear operations on target scopes. Scope limits increased to 1000 for Credentials Exchange Actions and Post Login Actions.
Custom Token Exchange now supports Delegated Authorization, allowing a principal (support agent, backend service, or AI agent) to perform actions in a user's context while preserving both identities via the standards-based act claim per RFC 8693. Features include actor token parameters, setActor() Action command for explicit delegation control, automatic validation of Auth0 ID tokens as actor tokens, audit trail capture, and support for up to 5 levels of delegation chains.
Tenant Access Control Lists now support matching access rules directly against canonical hostnames, allowing you to lock down backend default domains while keeping custom domains accessible. New connecting IP verification lets you define allowed IPv4 and IPv6 CIDR blocks for infrastructure connecting to the Auth0 edge, and the Tenant ACL attribute limit has increased from 10 to 20 per signal.
Federated Logout is now generally available for OIDC and Okta enterprise connections. When a user logs out with ?federated appended to the logout URL, Auth0 calls the upstream identity provider's end_session_endpoint to terminate the IdP session, closing the gap where a lingering IdP session could silently re-authenticate the user on their next login attempt.
DPoP sender constraining for Enterprise Connections is now generally available on all plans. Customers can establish Okta and OIDC Enterprise Connections with DPoP enabled, allowing Auth0 to generate DPoP proofs when performing token exchange and calling userinfo endpoints on upstream connections.
A new Tenant Manager role allows delegation of tenant-level user management tasks—inviting, updating, and revoking members—without exposing sensitive configuration settings like connections and security logs, which remain restricted to Team Owners. All management actions are captured in Team Activity logs for audit compliance.
A new Dashboard configuration interface allows administrators to set thresholds for throttling high-velocity traffic from suspicious IP addresses during the Custom Token Exchange process.
Non-Unique Emails is now Generally Available (GA) for all Auth0 customers. This feature allows multiple user accounts to share the same email address ...
Non-Unique Emails is now generally available, allowing multiple user accounts to share the same email address within a database connection on new connections only. Users must be distinguished by a different primary identifier such as username or phone number, while all email communications remain sent to the shared address.