releases.shpreview
Home/Collections/Auth & Identity/Week of June 1, 2026

The week M2M went multi-tenant and SCIM closed the loop

June 1–7, 2026

Auth0 shipped machine-to-machine access for third-party applications and made Inbound SCIM Groups generally available, while Clerk rolled out prebuilt organization management UI across its native mobile SDKs and a major backend API update.

M2M access for third-party apps and SCIM group mapping at scale

Auth0 took two significant steps forward in API-first, multi-tenant identity this week. Strict third-party applications now support the client_credentials grant type for machine-to-machine access, including the ability to scope M2M tokens to specific organizations. For teams exposing APIs to AI agents or partner backends that operate without a user in the session, this closes a gap that required workarounds. M2M access is restricted to apps created via the Management API or Dashboard — DCR-registered apps are excluded, maintaining the secure-by-default posture Auth0 introduced with third-party apps.

Alongside that, the GA release of Inbound SCIM Groups for Enterprise Connections lets you map synced groups directly to Auth0 roles at the tenant level or scoped per organization. When combined with Auto-Membership, users in synced groups inherit permissions at login without custom provisioning logic. WorkOS also shipped a complementary piece: SCIM bearer token rotation for directory integrations, now available from the Admin Portal and Directory Sync dashboard.

Auth0's Dashboard Search for Applications entered public beta, supporting real-time filtering by name, client ID, metadata, application type, and more (up to five combinable filters that persist via URL). The broader Dashboard navigation refresh is also in beta, reorganizing pages around common tasks with flattened navigation. Existing bookmarks redirect automatically, and all underlying APIs are unchanged.

Clerk fills in the organization-graph gaps

After weeks of shipping steady improvements across its SDK matrix, Clerk's most consequential release for team-product developers this week came on the native side: the Clerk iOS (1.2.0) and Android SDKs (via the June 5 changelog) now include prebuilt Organization management UI. The components cover the full spectrum — OrganizationSwitcher for account switching, OrganizationListView for standalone selection, and OrganizationProfileView with permission-gated management of members, domains, and org lifecycle actions. The iOS SDK also adds session reverification convenience APIs and bumps to Swift 6.2 and Xcode 26.

On the backend, @clerk/backend v3.5.0 introduces long-requested user email and phone replacement APIs: users.replaceUserEmailAddress and users.replaceUserPhoneNumber let you overwrite all addresses with a single verified, primary value in one call. The same release fixes an issue where authenticateRequest was consuming the request body, preventing downstream handlers from reading it, and preserves custom claims during JWT-format M2M token verification. Framework SDKs for Next.js, Nuxt, Astro, TanStack React Start, and React Router coordinated to prevent keyless mode from activating in CI and other automated environments.

Better Auth and Supabase round out the week

Better Auth v1.6.14 landed several high-severity fixes: Google One Tap no longer authenticates against the wrong user when the presented account is already linked to a different local user, getSessionCookie now prefers the __Secure- cookie over a non-secure leftover, and SAML Single Logout no longer leaves users signed in on the server. Supabase Auth continued its release-candidate cycle for v2.190.0 with three new RCs (rc.19, rc.22, rc.23), though the stable changelog remained quiet. Clerk also pushed a large batch of dependency updates across its JavaScript SDK, including captcha-by-OAuth-provider fix that resolves a long-tail bug where new OAuth users would hang on the SSO callback.

Releases covered