Auth0 Release Notes

We're excited to announce that Custom Token Exchange now supports Delegated Authorization. This release is available to all Enterprise, B2B Professional, and B2C Professional customers.

Delegated Authorization covers scenarios where a principal (e.g. a human support agent, a backend service, an AI agent) performs actions in the context of a user. Unlike traditional impersonation where the actor's identity is lost, delegated authorization preserves both identities: the sub claim identifies the user being acted for, while a standards-based act claim (per RFC 8693) identifies who is actually performing the action. Every token carries a verifiable record of the delegation.

With the flexibility to define custom actor semantics and authorization logic via Actions, customers now have the tools to address emerging access patterns, including agentic AI flows, alongside traditional delegation scenarios like support tooling and service-to-service chains.

Key highlights of this release:

• Actor token parameters: Pass actor_token and actor_token_type to convey the acting party's credential
• setActor() Action command: Developers explicitly control when and how delegation act claim is included in tokens via the new setActor() method
• Auth0 ID tokens as actor tokens: Automatic validation when the actor is an Auth0-managed user
• Audit trail: Actor identity captured in tenant logs for compliance and traceability
• Nesting support: Up to 5 levels of delegation chains for multi-hop service scenarios

To learn more, visit the Custom Token Exchange documentation.

We are excited to announce that we are adding new Credentials Exchange Actions Access Token Scope Interfaces and they are now available in Early Access.

These new interfaces allow you to customize the scopes to be considered when the access token is issued by writing Credentials Exchange Actions, considering the restrictions based on API and Client Grants definitions.

Early Access functionality includes:

• Add/Remove: New interfaces to add or remove target scopes from Credentials Exchange Actions.
• Set/Clear: Additional interfaces to clear or set target scopes from Credentials Exchange Actions without having to loop through the list of scopes.
• Read: The list of target scopes becomes available immediately after being transformed.
• Limits: Increased limits to handle up-to 1000 scopes for both Credentials Exchange Actions.
• Bonus: The limits were also increased for Post Login Actions.
• Docs:
• Event Object: https://auth0.com/docs/customize/actions/explore-triggers/machine-to-machine-trigger/credentials-exchange-event-object#param-target-scopes
• API Object: https://auth0.com/docs/customize/actions/explore-triggers/machine-to-machine-trigger/credentials-exchange-api-object#api-transaction

Federated Logout is now generally available for OIDC and Okta enterprise connections.

When a user logs out with ?federated appended to the logout URL, Auth0 calls the upstream identity provider's end_session_endpoint to terminate the IdP session, closing the gap where a lingering IdP session could silently re-authenticate the user on their next login attempt.

Note: if federated logout is attempted without providing an end_session_endpoint, federated logout will not be able to be completed, and a federated_logout_failed tenant log will be generated. The user will be successfully logged out of Auth0 and redirected back to the application, just as with a standard (non-federated) logout.

With federated logout:

• Auth0 takes the burden off customers by handling IdP session termination
• Customers simply indicate if the IdP session should be ended when the Auth0 logout endpoint is reached — no extra setup needed for compliant IdPs
• Employers and employees have peace of mind that their data is not accessible when they logout from their applications

This feature is available on all plans that include enterprise connections. Read the documentation to learn more.

We have enhanced Tenant Access Control Lists (ACLs) to provide granular control over upstream proxy infrastructure and canonical domain routing.

With this update, you can now isolate traffic by enforcing distinct rules on your canonical hostnames while keeping your user-facing custom domains open.

What's New?

• Canonical Hostname Routing

• Match access rules directly against your canonical hostnames. This allows you to lock down backend default domains while keeping customer-facing custom domains open and accessible to your users.

• Connecting IP Verification

• Define precise allowed IPv4 and IPv6 CIDR blocks for the infrastructure (such as reverse proxies or content delivery networks) connecting directly to the Auth0 edge.

• Expanded Attribute Quotas

• The limit for Tenant ACL attributes has been increased from 10 to 20 per signal, giving you the additional flexibility needed to scale complex, multi-domain configurations seamlessly.

Resources

To learn more about Tenant ACLs, click here

Non-Unique Emails is now Generally Available (GA) for all Auth0 customers. This feature allows multiple user accounts to share the same email address within a database connection, supporting real-world use cases like families, small businesses, and multi-role users who need separate accounts tied to the same email.

Key Details:

• Available on new database connections only (cannot be enabled on existing connections).
• Requires a different primary identifier (username or phone number) to uniquely distinguish users.
• All email communications (verification, password reset, etc.) are still sent to the shared email address.
• Once enabled on a connection, the non-unique email setting is permanent.

Documentation:

Non-Unique Emails

Auth0's ACR EA release empowers you to secure Account API token issuance by enforcing step-up authentication for sensitive scopes. Whether your users are managing their authentication factors via Universal Login or Embedded flows, you can now gate access through Actions-driven policies or enable a secure-by-default toggle. This ensures stronger security for self-service account management while maintaining a seamless experience for low-risk actions.

Learn more here:

API Settings Auth0 Docs

My Account API Docs

We are excited to announce that our new feature "Online refresh tokens" is now available to all customers in Beta. This powerful new feature is designed to simplify token management and modernize your application architecture, especially for Single Page Applications (SPAs) allowing you to bind refresh tokens to the sessions they originated from, which provides seamless and consistent continuation of a session when cookies are affected by the browser vendor behaviour across different applications.

What's in the Beta

✨ New configuration options

• Configure specific audiences to provide Online refresh tokens - online refresh tokens configuration is now available under the API > settings page

🔒 Applications Integration

• New scope — Request the new online_access scope to receive your online refresh tokens, which will be bound to the session
• Refresh tokens normally — Online refresh tokens will continue your application access while the session exists
• Revoke a session, revoke its refresh tokens — Once the session is revoked, all its online refresh tokens become invalid, too

🚀 Availability

• Since online refresh tokens lifecycle is entirely based on their underlying session, online refresh tokens can be issued only in OIDC flows that generate a valid session and can return refresh tokens
• Following OIDC standards, implicit sessions that do generate a session but shall not return a refresh token, will not provide online refresh tokens either

Documentation Links

Online refresh tokens documentation

Join the beta!

If you're interested in joining the online refresh token beta program, please send a request through the Auth0 Support Center or contact your Technical Account Manager (TAM) or Auth0 Sales Executive to help you out with the process

We are excited to announce Auth for MCP is now Generally Available.

Auth for MCP gives you a straightforward way to add authentication and authorization to any MCP server, so you control exactly who gets access, and what they get access to. Implement authentication, CIMD registration, and OBO token exchange for AI agents.

Auth for MCP is a product capability that uses the combination of the following features:

Client ID Metadata (CIMD) Registration (GA)

For MCP clients to connect to MCP servers, they need to identify themselves. But how does a server trust a new client it's never seen? The MCP spec solves this by recommending the use of CIMD: each client hosts a document containing its metadata at a URL that identifies the client. In Auth0, tenant admins provide that URL, and Auth0 fetches the metadata, validates it, and displays it for confirmation before creating the client. You get control over which clients can access your MCP server ensuring no surprise registrations.

On-Behalf-Of Token Exchange (GA)

After a user's agent authenticates with an MCP server and issues a request, it needs to call another API like a Salesforce instance or HR system to finish the job. The question is: how does that second API know the request is legitimate and who it's actually for? On-Behalf-Of Token Exchange lets MCP servers trade the user’s access token for one that works with the downstream API, scoped correctly and still tied to the original user. No shared secrets, no service accounts with too much power. And full auditing and visibility into every action.

Resource Parameter Compatibility Mode (GA)

The MCP spec uses "resource" identifiers to indicate which server an agent wants to talk to, rather than the "audience" parameter that OAuth has traditionally used. Auth0 now supports this natively, allowing MCP implementations to stay spec-compliant without workarounds or translation layers.

Enhanced Security Controls for Third-Party Applications (GA)

As you open your APIs to AI agents, partners, and developer ecosystems, third-party applications need to be secure by default. The recently shipped Enhanced Security Controls gives third-party apps a production-ready, secure-by-default posture, with the control you need over what external applications can access.

Documentation Links

• Register Applications with CIMD
• On-Behalf-Of Token Exchange
• Auth for MCP Quickstart

What's Changing:

We are fixing an issue where Auth0 was including an empty login_hint query parameter when redirecting users to external identity providers. Going forward, login_hint will only be included in the authorization request when a value is actually present.

Why This Matters:

Some external OAuth providers strictly validate request parameters and reject authorization requests that contain empty parameter values. This caused authentication failures for customers whose upstream identity providers do not tolerate empty login_hint values — particularly in scenarios where customers do not control the external IdP and cannot modify its validation behavior.

Rollout Timing:

This fix will be rolled out progressively over the next 1–2 weeks.

Action Required:

No action is required from customers. If you previously implemented a workaround by overriding connection parameters to suppress the empty login_hint, you may optionally remove that override after confirming the fix is active in your environment.

We're excited to announce that Resend is now Generally Available as an out-of-the-box email delivery provider in Auth0!

With this release, you can now configure Resend as your email delivery provider with built-in configuration directly within Auth0. Resend offers a modern, developer-friendly approach to transactional email with excellent deliverability and a clean API.

Check out our documentation for detailed setup instructions.

Have questions or suggestions? Reach out to us in our community channel and we'd love to hear how Resend is working for you!

This feature is available on all Auth0 plans.

Private Key JWT assertions and expanded signing algorithm support are now generally available across Enterprise Okta and OIDC Connections.

Private Key JWT assertions deliver enterprise-grade security by leveraging asymmetric cryptography to authenticate against your upstream Okta and OIDC identity providers. You now have full control over which signing algorithms Auth0 uses when generating client assertion JWTs - giving you the flexibility to align with your security standards and existing infrastructure.

We've also expanded ID token verification on enterprise connections to support additional signing algorithms: RS384, RS512, PS256, PS384, ES256, and ES384. This means fewer integration headaches when connecting to upstream identity providers and greater compatibility across your authentication flows.

These capabilities put you in the driver's seat: choose the cryptographic methods that work best for your environment, eliminate integration blockers, and stay ahead of evolving security standards.

Please refer to the product documentation.

We're excited to announce the new CMD+K Command Palette functionality is now available to all users in the Auth0 dashboard. Get instant access to navigation, quick actions and recently visited pages all from a single keyboard shortcut.

What’s new:

• Globally available: Always accessible from any page by entering CMD+K.
• Quick navigation: Jump to any page, feature, or setting without leaving the keyboard.
• Recently visited: Have your last 3 visited pages available at the top.
• Action shortcuts: Execute common tasks directly from the palette.
• Contextual actions: Get tasks specific to pages right in CMD+K.

To keep improving this experience, we’ll be continuously adding more contextual actions and capabilities to the CMD+K Command Palette.

Event Streams is now available for all customers in General Availablity.

Customer can:

• Subscribe to Auth0 User, Organizations, and Groups (Early Access Limited Release) Events
• Deliver Events to AWS EventBridge, Auth0 Actions, and Webhooks (including to Okta Workflows via Customer Header Auth)
• Consume events via the Events API

See the Auth0 Docs and Event Catalog for further instructions.

What is a Permissions Index?

In relationship-based access control like FGA, checking for permissions requires traversing a complex graph of relationships to find a valid path between a user and an object. The FGA Permissions Index anticipates this time-consuming traversal by pre-calculating every possible permission path and storing them as direct, user-to-object relationships. Whenever an indexed relationship is added or revoked in FGA, an incremental compute engine cleverly remembers which parts of the graph are affected, quickly ‘flattens’ those relationships, and enables a simple, efficient lookup at query time, no real-time graph traversal necessary.

This makes it easier to power traditionally diffucult authorization use cases such as enterprise search and AI retrieval (like RAG) over large datasets without repeatedly traversing the authorization graph every time.

The Developer Preview of FGA Permissions Index is available to any existing FGA enterprise customer. Get started today!

Learn more

• What is a Permissions Index?
• Permissions Index Best Practices