Following the successful Early Access period that began on August 11, 2025, we are excited to announce that MRRT is now available to all customers with full production support. This is a powerful enhancement that simplifies token management and modernizes app architecture across both native and web platforms
What's New in GA
✨ Auth0 Dashboard Support
- Configure MRRT policies directly in the Dashboard — No more Management API-only configuration
- Visual refresh token policy editor — Easily add, remove, and modify audience/scope policies for your applications
- Application settings integration — MRRT configuration is now available under the Application > Settings page
🔒 Enhanced Security with Client Grants Integration
- Client Grants enforcement — MRRT now respects Client Grants restrictions, ensuring applications can only request access tokens for APIs they are authorized to access
- Improved validation — Better error messages when attempting to configure unauthorized audience/scope combinations
🐛 Bug Fixes and Improvements (based on EA feedback)
- Fixed: Token exchange now properly validates scopes against both MRRT policy and Resource Server definitions
- Fixed: Improved error handling when requesting access tokens for deleted or modified Resource Servers
- Fixed:
org_id claim is now correctly preserved in access tokens when using MRRT with Organizations
- Fixed: Refresh token rotation works correctly when exchanging tokens for different audiences
- Improved: Better logging in tenant logs (
type: sertft) for MRRT token exchanges
- Improved: More descriptive error messages for unauthorized audience requests
📦 SDK Updates
- iOS SDK (Auth0.swift) — Full GA support
- Android SDK (Auth0.Android) — Full GA support
🛠️ Developer Tooling
- Auth0 CLI — Full support for configuring MRRT policies
- Terraform Provider — Complete resource configuration for refresh token policies
- Auth0 Deploy CLI — Full support for managing MRRT configurations in deployment pipelines
Documentation Links