We are actively migrating customers to new behaviors for all deprecations listed below. Please review these carefully to ensure you’ve taken any necessary steps to avoid service disruption. You can also search tenant logs for any errors caused by using deprecated features. To learn more, read Search Logs for Deprecation Errors. If you have any questions, visit the Community or create a ticket in our Support Center. To learn more, you can also read Migration Process.

Extended Attributes in Azure Active Directory (v1) Identity API Connections

Deprecated: June 18, 2025 End of life: September 1, 2025 Due to the Azure AD Graph deprecation and scheduled retirement, Auth0 will no longer support enabling extended attributes-related options in Microsoft Azure AD (strategy=waad) connections configured to use the Azure Active Directory (v1) Identity API. If you received a notification via email, one or more of your tenants one or more tenants associated with your Auth0 tenant admin user account haa a Microsoft Azure AD connection targeting the Azure Active Directory (v1) identity API and configured to obtain extended attributes and could potentially be impacted. You must review applicable tenants. For connections dependent on the deprecated functionality, you must either:
  • Update connections to target Microsoft Identity Platform (v2) so that Microsoft Graph endpoints are used instead of the deprecated Azure AD Graph when retrieving extended attributes information.
  • Turn off all the extended attributes options.
Although the second option above would allow you to maintain connections targeting the Azure Active Directory (v1) identity API if the extended information is unnecessary, the general recommendation is to target Microsoft Identity Platform (v2). To learn more, read Connect Your App to Microsoft Azure Active Director. For more information on the deprecation, contact Auth0 Support.

Real-Time Webtask Logs Extension

Deprecated: June 18, 2025 End of life: September 16, 2025 The Real-time Webtask Logs extension is deprecated and has a planned end-of-life (EOL) after September 16, 2025.  As a replacement, the Actions Real-time Logs feature is directly available within the Auth0 Dashboard. The extension will cease to be available for new installations, but tenants with the extension already installed will maintain access until the planned EOL.

Remove Access to Specific Event Request Properties in Actions

Deprecated: June 18, 2025 End of life: September 16, 2025 Auth0 will restrict access to additional property names within the event.request.query and event.request.body objects when executing Actions for the post-login and credentials-exchange triggers. Only tenants identified as using Actions to reference request properties planned for restriction will maintain access until September 16, 2025. The service will restrict the following property names in the request-related objects:
  • auth_session
  • authn_response
  • client_secret
  • client_assertion
  • refresh_token
Deprecated: May 13, 2025 End of life: November 13, 2025 When updating a SMTP email provider’s host, port, or username using a PATCH request to the /api/v2/emails/provider endpoint, you may need to specify a password for the credentials.smtp_pass field. A SMTP email provider’s credentials object supports the following fields:
  • credentials.smtp_pass: SMTP email provider’s password
  • credentials.smtp_host: SMTP email provider’s host
  • credentials.smtp_port: SMTP email provider’s port
  • credentials.smtp_user: SMTP email provider’s username
Auth0 requires an explicit value for the credentials.smtp_pass field in the following cases:
  • When you’re updating a SMTP email provider’s credentials.smtp_host, credentials.smtp_port, or credentials.smtp_user fields with a value that is different from the existing value or updating just a subset of those three fields.
Auth0 does not require an explicit value for the credentials.smtp_pass field in the following cases:
  • When you’re updating a SMTP email provider and the request body includes the same values as the existing values for the credentials.smtp_host, credentials.smtp_port, and credentials.smtp_user fields.

Unwarranted Session Removal After Management API User Updates

Deprecated: February 11, 2025 End of life: August 19, 2025 The Update a user endpoint (PATCH /api/v2/users/{id}) will no longer invalidate user sessions for database connection users when:
  • The email or email_verified attributes are set to an unchanged value.
  • The email_verified attribute is set to a true value.

Node.js 12 and 16 Extensibility Runtimes

Deprecated: February 10, 2025 End of life: August 15, 2025 Node.js 12 and 16 extensibility runtimes will gradually become unavailable across Auth0 tenants. Once removed, all extensibility integrations, such as Actions, Rules, Hooks, Custom Database Connections, and Custom Social Connections, will be forced to run on Node 22. For technical resources relevant to migrating to Node 22, read Migrate from Node 12 and 16 to Node 18 and Migrate from Node 18 to Node 22.

Mandatory Use of SNI for HTTPS requests

Deprecated: October 29, 2024 End of life: April 29, 2025 The Auth0 service will mandate using Server Name Indication (SNI) for all HTTPS requests. SNI is an extension to the TLS protocol that allows the client to indicate the hostname to which it intends to connect at the start of the handshake process. Since their creation, the vast majority of our private cloud environments and some of our public cloud environments have enforced the SNI requirement. For example, the CA-1, JP-1, and UK-1 public cloud environments always required SNI. With this change, the SNI requirement will apply to the remaining environments. For more detailed information on environment-specific timelines, read the End-of-Life Rollout for Mandatory Use of SNI for HTTPS Requests article.

New Management API Scopes Required for Connection Options

Deprecated: October 24, 2024 End of life: April 24, 2025 Requests to the following Management API endpoints will require the read:connections_options scope to view the options field: Requests to the following Management API endpoints will require the update:connections_options to modify the options field:

Protected Properties in Non-Custom Social Connections

Deprecated: July 30, 2024 End of life: January 31, 2025 Management API endpoints for connections (GET, POST, and PATCH) will no longer allow retrieving or setting values for the following protected properties in the context of the options object for non-custom social connections:
  • authorizationURL
  • tokenURL
  • userInfoUrl
  • baseUrl
  • userAuthorizationURL
  • grant_type
Non-custom social connections refer to any social connection whose implementation logic is controlled entirely within the Auth0 service itself. This category excludes any connections explicitly created as custom social connectors or those available as Marketplace integrations that rely on custom social connection functionality.

Always Use HTTPS for Communication with Auth0

Deprecated: September 4, 2024 End of life: October 4, 2024 Starting October 4, 2024, Auth0 will no longer automatically redirect API requests using unencrypted HTTP to secure HTTPS and will respond with an error. To avoid any disruption in service, update any HTTP URLs you use or publish to use HTTPS instead.

Management API Transition: Updating Roles Assignment to Require Create Scope

Deprecated: March 7, 2024 End of life: September 10, 2024 Auth0 is updating the Management API scopes for the User-Roles endpoint (POST /api/v2/users/{id}/roles) to represent their intended permissions. Currently, roles can be assigned to users with read:roles scope via the Management API. This capability is being deprecated, and role updates will require the create:role_members scope.

Update Applications that use Cross-Origin Authentication

Deprecated: April 25, 2024 End of life: October 10, 2024 New applications created in Auth0 will have cross-origin authentication disabled by default. Calls to some Management API endpoints (Get Clients, Get Client by ID) will need to be modified to use cross_origin_authentication.

Rules and Hooks Deprecations

Deprecated: May 16, 2023 Read-only transition: November 18, 2024 End-of-life: TBA On November 18, 2024, active Rules and Hooks will continue to execute, but will degrade to read-onlymode. Auth0 has delayed the removal of Rules and Hooks functionality to a future date. Read-only Rules and Hooks can be turned on and off and their respective configuration values or secrets can be modified, but their source code cannot be edited via the Dashboard or Management API, including CI/CD tooling like Terraform and Auth0 Deploy CLI. If you will be unable to migrate to Actions ahead of the read-only transition, ensure that any automated CI/CD flow you have configured to deploy tenant configuration changes does not attempt to perform unsupported management operations on Rules and Hooks. For more information, read Migrate from Rules to Actions and Migrate from Hooks to Actions.

Deprecate opt-in to WCAG 2.2 AA Compliant UI for Universal Login

Deprecated: August 23, 2024 End of Life: July 31st, 2025 On February 23rd, 2025, Auth0 will remove the ability to use the legacy, non-compliant UI for . The new WCAG compliant version ensures that end users, including those who rely on assistive technology, can access and engage with a customer’s product or service. Read our Universal Login Accessibility documentation for more information.

Learn more