Auth0 Release Notes

Auth0's ACR EA release empowers you to secure Account API token issuance by enforcing step-up authentication for sensitive scopes. Whether your users are managing their authentication factors via Universal Login or Embedded flows, you can now gate access through Actions-driven policies or enable a secure-by-default toggle. This ensures stronger security for self-service account management while maintaining a seamless experience for low-risk actions.

Learn more here:

API Settings Auth0 Docs

My Account API Docs

We are excited to announce that our new feature "Online refresh tokens" is now available to all customers in Beta. This powerful new feature is designed to simplify token management and modernize your application architecture, especially for Single Page Applications (SPAs) allowing you to bind refresh tokens to the sessions they originated from, which provides seamless and consistent continuation of a session when cookies are affected by the browser vendor behaviour across different applications.

What's in the Beta

✨ New configuration options

• Configure specific audiences to provide Online refresh tokens - online refresh tokens configuration is now available under the API > settings page

🔒 Applications Integration

• New scope — Request the new online_access scope to receive your online refresh tokens, which will be bound to the session
• Refresh tokens normally — Online refresh tokens will continue your application access while the session exists
• Revoke a session, revoke its refresh tokens — Once the session is revoked, all its online refresh tokens become invalid, too

🚀 Availability

• Since online refresh tokens lifecycle is entirely based on their underlying session, online refresh tokens can be issued only in OIDC flows that generate a valid session and can return refresh tokens
• Following OIDC standards, implicit sessions that do generate a session but shall not return a refresh token, will not provide online refresh tokens either

Documentation Links

Online refresh tokens documentation

Join the beta!

If you're interested in joining the online refresh token beta program, please send a request through the Auth0 Support Center or contact your Technical Account Manager (TAM) or Auth0 Sales Executive to help you out with the process

We are excited to announce Auth for MCP is now Generally Available.

Auth for MCP gives you a straightforward way to add authentication and authorization to any MCP server, so you control exactly who gets access, and what they get access to. Implement authentication, CIMD registration, and OBO token exchange for AI agents.

Auth for MCP is a product capability that uses the combination of the following features:

Client ID Metadata (CIMD) Registration (GA)

For MCP clients to connect to MCP servers, they need to identify themselves. But how does a server trust a new client it's never seen? The MCP spec solves this by recommending the use of CIMD: each client hosts a document containing its metadata at a URL that identifies the client. In Auth0, tenant admins provide that URL, and Auth0 fetches the metadata, validates it, and displays it for confirmation before creating the client. You get control over which clients can access your MCP server ensuring no surprise registrations.

On-Behalf-Of Token Exchange (GA)

After a user's agent authenticates with an MCP server and issues a request, it needs to call another API like a Salesforce instance or HR system to finish the job. The question is: how does that second API know the request is legitimate and who it's actually for? On-Behalf-Of Token Exchange lets MCP servers trade the user’s access token for one that works with the downstream API, scoped correctly and still tied to the original user. No shared secrets, no service accounts with too much power. And full auditing and visibility into every action.

Resource Parameter Compatibility Mode (GA)

The MCP spec uses "resource" identifiers to indicate which server an agent wants to talk to, rather than the "audience" parameter that OAuth has traditionally used. Auth0 now supports this natively, allowing MCP implementations to stay spec-compliant without workarounds or translation layers.

Enhanced Security Controls for Third-Party Applications (GA)

As you open your APIs to AI agents, partners, and developer ecosystems, third-party applications need to be secure by default. The recently shipped Enhanced Security Controls gives third-party apps a production-ready, secure-by-default posture, with the control you need over what external applications can access.

Documentation Links

• Register Applications with CIMD
• On-Behalf-Of Token Exchange
• Auth for MCP Quickstart

What's Changing:

We are fixing an issue where Auth0 was including an empty login_hint query parameter when redirecting users to external identity providers. Going forward, login_hint will only be included in the authorization request when a value is actually present.

Why This Matters:

Some external OAuth providers strictly validate request parameters and reject authorization requests that contain empty parameter values. This caused authentication failures for customers whose upstream identity providers do not tolerate empty login_hint values — particularly in scenarios where customers do not control the external IdP and cannot modify its validation behavior.

Rollout Timing:

This fix will be rolled out progressively over the next 1–2 weeks.

Action Required:

No action is required from customers. If you previously implemented a workaround by overriding connection parameters to suppress the empty login_hint, you may optionally remove that override after confirming the fix is active in your environment.

We're excited to announce that Resend is now Generally Available as an out-of-the-box email delivery provider in Auth0!

With this release, you can now configure Resend as your email delivery provider with built-in configuration directly within Auth0. Resend offers a modern, developer-friendly approach to transactional email with excellent deliverability and a clean API.

Check out our documentation for detailed setup instructions.

Have questions or suggestions? Reach out to us in our community channel and we'd love to hear how Resend is working for you!

This feature is available on all Auth0 plans.

Private Key JWT assertions and expanded signing algorithm support are now generally available across Enterprise Okta and OIDC Connections.

Private Key JWT assertions deliver enterprise-grade security by leveraging asymmetric cryptography to authenticate against your upstream Okta and OIDC identity providers. You now have full control over which signing algorithms Auth0 uses when generating client assertion JWTs - giving you the flexibility to align with your security standards and existing infrastructure.

We've also expanded ID token verification on enterprise connections to support additional signing algorithms: RS384, RS512, PS256, PS384, ES256, and ES384. This means fewer integration headaches when connecting to upstream identity providers and greater compatibility across your authentication flows.

These capabilities put you in the driver's seat: choose the cryptographic methods that work best for your environment, eliminate integration blockers, and stay ahead of evolving security standards.

Please refer to the product documentation.

We're excited to announce the new CMD+K Command Palette functionality is now available to all users in the Auth0 dashboard. Get instant access to navigation, quick actions and recently visited pages all from a single keyboard shortcut.

What’s new:

• Globally available: Always accessible from any page by entering CMD+K.
• Quick navigation: Jump to any page, feature, or setting without leaving the keyboard.
• Recently visited: Have your last 3 visited pages available at the top.
• Action shortcuts: Execute common tasks directly from the palette.
• Contextual actions: Get tasks specific to pages right in CMD+K.

To keep improving this experience, we’ll be continuously adding more contextual actions and capabilities to the CMD+K Command Palette.

Event Streams is now available for all customers in General Availablity.

Customer can:

• Subscribe to Auth0 User, Organizations, and Groups (Early Access Limited Release) Events
• Deliver Events to AWS EventBridge, Auth0 Actions, and Webhooks (including to Okta Workflows via Customer Header Auth)
• Consume events via the Events API

See the Auth0 Docs and Event Catalog for further instructions.

What is a Permissions Index?

In relationship-based access control like FGA, checking for permissions requires traversing a complex graph of relationships to find a valid path between a user and an object. The FGA Permissions Index anticipates this time-consuming traversal by pre-calculating every possible permission path and storing them as direct, user-to-object relationships. Whenever an indexed relationship is added or revoked in FGA, an incremental compute engine cleverly remembers which parts of the graph are affected, quickly ‘flattens’ those relationships, and enables a simple, efficient lookup at query time, no real-time graph traversal necessary.

This makes it easier to power traditionally diffucult authorization use cases such as enterprise search and AI retrieval (like RAG) over large datasets without repeatedly traversing the authorization graph every time.

The Developer Preview of FGA Permissions Index is available to any existing FGA enterprise customer. Get started today!

Learn more

• What is a Permissions Index?
• Permissions Index Best Practices

We're excited to announce that Enhanced Security Controls for Third-Party Applications is now Generally Available for all Auth0 customers.

As you open your APIs to AI agents, customers, partners, and external developers, you need strong security defaults for third-party applications. Enhanced security controls give third-party applications a secure-by-default posture, so Auth0 does the heavy lifting, and you stay in control of what external applications can access.

What's included:

• Strict security mode for third-party applications (third_party_security_mode: 'strict')
• OAuth 2.1 alignment: mandatory PKCE, restricted grant types
• Explicit API authorization: third-party applications always require a client grant to access an API
• Default permissions for third-party applications: configure default API permissions that apply automatically to all third-party applications, including those created via Dynamic Client Registration
• Open redirect protection: configurable redirection_policy to prevent redirect-based attacks
• Reduced attack surface: curated property allowlist and feature restrictions

For existing customers using third-party applications: Your existing applications continue to work exactly as they do today — no changes required. A 6-month migration window gives you time to adopt enhanced security controls for new application creation. Review the migration guide for detailed steps.

To learn more, visit the Third-Party Applications documentation.

We're excited to announce that Self-Service Domain Verification is now in General Availability! Allow your customers' IT admins to verify their own email domains for HRD directly within the SSO setup assistant — no back-and-forth with your team required.

Key Advantages at a Glance:

• Proven ownership: IT admins verify domains via DNS TXT record.
• Flexible requirements: Configure domain verification as off, optional, or required — per customer engagement.
• Domain management: IT admins can now add, re-verify, and delete domains entirely through self-service.
• Enterprise-ready controls: Pre-configure domains for your customers to verify, or pre-verify domains on their behalf — with verified domains automatically powering Organization Discovery when enabled.

To dive deeper, please review our updated documentation on Self-Service Enterprise Configuration.

We're thrilled to announce that Organization Discovery by Domain is now in General Availability! Automatically identify your customers' users and route them to the right identity provider based on their email domain — before they even reach the login screen.

Key Advantages at a Glance:

• Automatic routing: Direct users to their organization's IdP the moment they enter their email — no manual org selection required.
• Multi-org support: When a single domain maps to multiple organizations, an org picker ensures users land in the right place.
• Seamless B2B login: Eliminate the friction of Home Realm Discovery by adding full organization context to the pre-login flow.
• Flexible configuration: Support email-based, org-name-based, or combined discovery to match your customers' login requirements.

To dive deeper, please review our documentation here.

The new name better reflects the full scope of the suite, which includes:

• Single Sign-On (SSO): Allow enterprise customers to configure and maintain SSO for their applications.
• Domain Verification: Self-managed domain verification and mapping for IT admins.
• Google Directory Sync: Keep user attributes synchronized across systems.
• User Provisioning: Automate the user lifecycle through SCIM 2.0.

No functional changes — everything works the same. For full details, see the Self-Service Enterprise Configuration documentation.

We’re thrilled to announce that the Self-Service Provisioning experience is now in General Availability! Empower your customers' IT teams to handle user onboarding and offboarding themselves, which means less manual work and fewer support tickets for your team.

Key Advantages at a Glance

• Automation: Allow your customer's admins to manage their own SCIM setup.
• Interoperability: Ensure seamless integration with a wide variety of customer IdPs.
• Consistency: Use a single, unified schema for easier support and debugging.
• Flexibility: Retain the ability to override attribute mappings for specific protocols if needed.

To dive deeper, please review our updated documented on Self-Service Enterprise Configuration.

Auth0 Private Cloud is now supported in the Azure Japan East (Tokyo) region!

Japan already has Auth0 coverage through AWS Private Cloud and our Public Cloud environment, and this addition brings Azure into the mix for the first time. Organizations can now deploy Auth0 Private Cloud in-country on Azure, giving them a dedicated identity infrastructure with the latency and data residency benefits of a local deployment.

This expansion reflects our ongoing commitment to meeting customers where they are — on the cloud platform and in the geography that works best for them.