> ## Documentation Index > Fetch the complete documentation index at: https://auth0.com/llms.txt > Use this file to discover all available pages before exploring further. > Lists all deprecations with active migrations that may impact your tenant. # Deprecations and Migrations We are actively migrating customers to new behaviors for all deprecations listed below. Please review these carefully to ensure you've taken any necessary steps to avoid service disruption. You can also search tenant logs for any errors caused by using deprecated features. If you have any questions, visit the [Community](https://community.auth0.com/) or [create a ticket in our Support Center](https://support.auth0.com). To learn more, you can also read [Migration Process](/docs/troubleshoot/product-lifecycle/migration-process). ## Enhanced Security for Third-Party Applications **Deprecated**: April 23, 2026 **End of life**: October 23, 2026 Auth0 is introducing enhanced security controls for third-party applications that align with OAuth 2.1 best practices. Starting on the end-of-life date, when you create a new third-party application via `POST /api/v2/clients` without specifying a `third_party_security_mode`, Auth0 will apply enhanced security controls (`strict`) automatically. This change only affects tenants that were using third-party applications before April 23, 2026, and only impacts newly created applications. Your existing third-party applications will continue to work as they do today with no changes required. Enhanced controls provide explicit API authorization, mandatory use of PKCE, and a focused feature set aligned with OAuth 2.1 and security best practices. To prepare for this change, review [Migrate to Enhanced Security for Third-Party Applications](/docs/troubleshoot/product-lifecycle/deprecations-and-migrations/migrate-to-enhanced-security-third-party-applications) to verify your affected status, configure default API permissions, and choose your migration path. ## Legacy management of connection's enabled clients **Deprecated**: January 13, 2026 **End of life**: July 13, 2026 The `enabled_clients` field, within the Management API connection object, is deprecated in the following scenarios: * [Retrieving multiple connections](https://auth0.com/docs/api/management/v2/connections/get-connections) using (GET - `/api/v2/connections`). * [Retrieving a connection](https://auth0.com/docs/api/management/v2/connections/get-connections-by-id) using (GET - `/api/v2/connections/{id}`). * [Updating a connection](https://auth0.com/docs/api/management/v2/connections/patch-connections-by-id) using (PATCH - `/api/v2/connections/{id}`). As an alternative to the deprecated functionality, two new Management API endpoints are available: * [Get enabled clients for a connection](https://auth0.com/docs/api/management/v2/connections/get-connection-clients). * [Update enabled clients for a connection](https://auth0.com/docs/api/management/v2/connections/patch-clients). To prepare for this change and ensure your integrations continue to function smoothly, review [Migrate Enabled Client Management to Dedicated Connection Endpoints](/docs/troubleshoot/product-lifecycle/deprecations-and-migrations/migrate-dedicated-connection-endpoints) to verify your affected status and migrate to the new endpoints. ## Weak TLS 1.2 Cipher Suites **Deprecated**: December 10, 2025 **End of life**: June 10, 2026 After the end-of-life date, we will require the use of modern ciphers when connecting to Auth0 service endpoints and web applications. We will remove support for TLS 1.2 cipher suites that no longer provide sufficient security to protect network communications. More specifically, the change to supported cipher suites applies to: * Public and private cloud tenants' default domains; for example, `[tenant_name].eu.auth0.com.` * Public and private cloud tenants' custom domains. * Service-related web applications, such as the Dashboard (`manage.auth0.com`) or the Marketplace (`marketplace.auth0.com`). * The Auth0 Content Delivery Network (CDN). To learn more, read [Auth0 Public Cloud Service Endpoints](/docs/troubleshoot/customer-support/operational-policies/public-cloud-service-endpoints). The list of discontinued cipher suites is available below. The list contains the unique hex code that identifies each cipher alongside its [IANA](https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4) name; for the corresponding OpenSSL names, follow the links to `ciphersuite.info`. TLS 1.2 ciphers scheduled for removal: * 0xC0, 0x09 - [TLS\_ECDHE\_ECDSA\_WITH\_AES\_128\_CBC\_SHA](https://ciphersuite.info/cs/TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA/) * 0xC0, 0x0A - [TLS\_ECDHE\_ECDSA\_WITH\_AES\_256\_CBC\_SHA](https://ciphersuite.info/cs/TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA/) * 0xC0, 0x23 - [TLS\_ECDHE\_ECDSA\_WITH\_AES\_128\_CBC\_SHA256](https://ciphersuite.info/cs/TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256/) * 0xC0, 0x24 - [TLS\_ECDHE\_ECDSA\_WITH\_AES\_256\_CBC\_SHA384](https://ciphersuite.info/cs/TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384/) * 0xC0, 0x13 - [TLS\_ECDHE\_RSA\_WITH\_AES\_128\_CBC\_SHA](https://ciphersuite.info/cs/TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA/) * 0xC0, 0x14 - [TLS\_ECDHE\_RSA\_WITH\_AES\_256\_CBC\_SHA](https://ciphersuite.info/cs/TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA/) * 0xC0, 0x27 - [TLS\_ECDHE\_RSA\_WITH\_AES\_128\_CBC\_SHA256](https://ciphersuite.info/cs/TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256/) * 0xC0, 0x28 - [TLS\_ECDHE\_RSA\_WITH\_AES\_256\_CBC\_SHA384](https://ciphersuite.info/cs/TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384/) * 0x00, 0x9C - [TLS\_RSA\_WITH\_AES\_128\_GCM\_SHA256](https://ciphersuite.info/cs/TLS_RSA_WITH_AES_128_GCM_SHA256/) * 0x00, 0x2F - [TLS\_RSA\_WITH\_AES\_128\_CBC\_SHA](https://ciphersuite.info/cs/TLS_RSA_WITH_AES_128_CBC_SHA/) * 0x00, 0x9D - [TLS\_RSA\_WITH\_AES\_256\_GCM\_SHA384](https://ciphersuite.info/cs/TLS_RSA_WITH_AES_256_GCM_SHA384/) * 0x00, 0x35 - [TLS\_RSA\_WITH\_AES\_256\_CBC\_SHA](https://ciphersuite.info/cs/TLS_RSA_WITH_AES_256_CBC_SHA/) * 0x00, 0x3C - [TLS\_RSA\_WITH\_AES\_128\_CBC\_SHA256](https://ciphersuite.info/cs/TLS_RSA_WITH_AES_128_CBC_SHA256/) * 0x00, 0x3D - [TLS\_RSA\_WITH\_AES\_256\_CBC\_SHA256](https://ciphersuite.info/cs/TLS_RSA_WITH_AES_256_CBC_SHA256/) ## Prompt for Organization Name Without SSO **Deprecated**: October 31, 2025 **End of life**: May 1, 2026 Login flows initiated in the context of client applications associated with business users (`organization_usage=require`) and configured to prompt for the organization at the start of the login flow (`organization_require_behavior=pre_login_prompt`) will consider an existing authenticated session. Previously, the service prompted the user for the organization name and the user would subsequently be required to complete a login. For example, a user with a password-based account needed to re-enter their credentials even if an authenticated session was valid for the selected organization. ## Unconfirmed Login with Non-Verifiable Callback URI Redirects **Deprecated**: October 28th, 2025 **End of life**: April 28th, 2026 Auth0 recommends the transition to HTTPS-based callbacks using [Android App Links](https://developer.android.com/training/app-links#android-app-link) and [Apple Universal Links](https://developer.apple.com/documentation/xcode/allowing-apps-and-websites-to-link-to-your-content) whenever possible for all native applications using the [Authorization Code Flow](/docs/get-started/authentication-and-authorization-flow/authorization-code-flow-with-pkce) to enhance security and mitigate risks of application impersonation and phishing attacks. Additionally, Auth0 is implementing a new login confirmation prompt for authentication requests that utilize custom URI schemes or loopback URIs as the callback. This prompt will appear in situations where a response was previously returned without requiring user interaction.. Review [Migrate to Non-Verifiable Callback URI End-User Confirmation](/docs/troubleshoot/product-lifecycle/deprecations-and-migrations/migrate-to-non-verifiable-callback-uri-end-user-confirmation) to learn more details. ## Audience Validation for Private Key JWT Authentication **Deprecated**: October 6, 2025 **End of life**: April 8, 2025 When validating [JWT assertions used for client application authentication](/docs/get-started/authentication-and-authorization-flow/authenticate-with-private-key-jwt), **Auth0 will impose stricter requirements and accept only a tenant's issuer identifier as a single JSON string value in the `aud` (audience) claim**. The possibility of providing an `aud` claim with either one of the approaches listed below is deprecated, and the service will stop supporting them after the end-of-life date: * A JSON array of strings, provided that one of the entries contains a valid issuer identifier or endpoint URL for the respective tenant and endpoint the client authenticates against. * A single JSON string representing a valid endpoint URL for the respective tenant and endpoint the client authenticates against. Ahead of the end-of-life date, OIDC enterprise connections configured to use Private Key JWT in authenticated requests to the upstream identity provider will receive the capability to allow the use of the applicable issuer identifier represented as a JSON string in the "aud" claim included in JWT assertions. ## Extended Attributes in Azure Active Directory (v1) Identity API Connections **Deprecated**: June 18, 2025 **End of life**: September 1, 2025 Due to the [Azure AD Graph deprecation](https://learn.microsoft.com/en-us/graph/migrate-azure-ad-graph-overview) and scheduled [retirement](https://techcommunity.microsoft.com/blog/microsoft-entra-blog/what%E2%80%99s-new-in-microsoft-entra-%E2%80%93-june-2025/4352579#community-4352579-toc-hId--1605859169), Auth0 will no longer support enabling extended attributes-related options in Microsoft Azure AD (`strategy=waad`) connections configured to use the Azure Active Directory (v1) Identity API. If you received a notification via email, one or more of your tenants may have a Microsoft Azure AD connection targeting the **Azure Active Directory (v1)** identity API and configured to obtain extended attributes and could potentially be impacted. You must review applicable tenants. For connections dependent on the deprecated functionality, you must either: * Update connections to target **Microsoft Identity Platform (v2)** so that Microsoft Graph endpoints are used instead of the deprecated Azure AD Graph when retrieving extended attributes information. * Turn off all the extended attributes options. Although the second option above would allow you to maintain connections targeting the **Azure Active Directory (v1)** identity API if the extended information is unnecessary, the general recommendation is to target **Microsoft Identity Platform (v2)**. To learn more, read [Connect Your App to Microsoft Azure Active Director](/docs/authenticate/identity-providers/enterprise-identity-providers/azure-active-directory/v2). For more information on the deprecation, contact [Auth0 Support](https://support.auth0.com/). ## Real-Time Webtask Logs Extension **Deprecated**: June 18, 2025 **End of life**: September 16, 2025 The Real-time Webtask Logs extension is deprecated and has a planned end-of-life (EOL) after September 16, 2025.  As a replacement, the [Actions Real-time Logs](/docs/customize/actions/actions-real-time-logs) feature is directly available within the Auth0 Dashboard. The extension will cease to be available for new installations, but tenants with the extension already installed will maintain access until the planned EOL. ## Remove Access to Specific Event Request Properties in Actions **Deprecated**: June 18, 2025 **End of life**: September 16, 2025 Auth0 will restrict access to additional property names within the `event.request.query` and `event.request.body` objects when executing Actions for the [`post-login`](/docs/customize/actions/explore-triggers/signup-and-login-triggers/login-trigger) and [`credentials-exchange`](/docs/customize/actions/explore-triggers/machine-to-machine-trigger) triggers. Only tenants identified as using Actions to reference request properties planned for restriction will maintain access until **September 16, 2025**. The service will restrict the following property names in the request-related objects: * `auth_session` * `authn_response` * `client_secret` * `client_assertion` * `refresh_token` ## Multiple Actions for Custom Phone and Email Provider Triggers **Deprecated:** June 16, 2025 **End of life:** December 16, 2025 Auth0 is introducing a maximum limit of one Action for Actions associated with the following triggers: * `custom-phone-provider` * `custom-email-provider` This limitation applies to the Management API [Create an Action](https://auth0.com/docs/api/management/v2/actions/post-action) endpoint (`POST` - `/api/v2/actions/actions`). Once the newly introduced limit becomes effective for a given tenant, attempts to create multiple actions for these triggers will fail. ## Uncustomizable Brute-force Protection Unblock Email Flow **Deprecated:** June 9, 2025 **End of life:** December 9, 2025 An updated version of the email-based unblock flow for [Brute-force Protection](/docs/secure/attack-protection/brute-force-protection) supports customization and localization through Universal Login and improves the experience for situations where email security scanners process the unblock email is available. ## Field `fromSandbox` in Authentication API Error Responses **Deprecated:** June 11, 2025 **End of life:** December 11, 2025 Authentication API error responses will no longer return the `fromSandbox` field for flows requiring custom database script invocation. For example, an API error response in the context of an end-user signup flow for a custom database connection will no longer return this field. ## Allow Omitting Password on SMTP Email Provider Host-Related Changes **Deprecated:** May 13, 2025 **End of life:** November 13, 2025 When updating a SMTP email provider’s host, port, or username using a `PATCH` request to the [`/api/v2/emails/provider endpoint`](https://auth0.com/docs/api/management/v2/emails/patch-provider), you may need to specify a password for the `credentials.smtp_pass` field. A SMTP email provider’s credentials object supports the following fields: * `credentials.smtp_pass`: SMTP email provider’s password * `credentials.smtp_host`: SMTP email provider’s host * `credentials.smtp_port`: SMTP email provider’s port * `credentials.smtp_user`: SMTP email provider’s username Auth0 requires an explicit value for the `credentials.smtp_pass` field in the following cases: * When you’re updating a SMTP email provider’s `credentials.smtp_host`, `credentials.smtp_port`, or `credentials.smtp_user` fields with a value that is different from the existing value or updating just a subset of those three fields. Auth0 does not require an explicit value for the `credentials.smtp_pass` field in the following cases: * When you’re updating a SMTP email provider and the request body includes the same values as the existing values for the `credentials.smtp_host`, `credentials.smtp_port`, and `credentials.smtp_user` fields. ## Unrestricted Offset Pagination in Connections Management API **Deprecated**: April 29, 2025 **End of life**: October 27, 2025 The offset-based pagination available for the Management API [get all connections](/docs/api/management/v2/connections/get-connections) endpoint will no longer support retrieving a paginated result beyond the first 1000 connections. For example, the service will return an error response if `page=30&per_page=50` or `page=15&per_page=100` is used. In both situations, multiplying the number of records requested per page by the requested page index plus one (to account for the page index being zero-based) results in the request surpassing the initial 1000 connections. Per the above, with a page size of 50, the last page index that you can request without errors is 19 (`page=19&per_page=50`), and with the maximum page size of 100, you can request up to page index number 9 (`page=9&per_page=100`). Conditions that surpass the limit trigger the error even if the tenant associated with the request has fewer than 1000 connections. ## Node.js 12 and 16 Extensibility Runtimes **Deprecated**: February 10, 2025 **End of life**: August 15, 2025 Node.js 12 and 16 extensibility runtimes will gradually become unavailable across Auth0 tenants. Once removed, all extensibility integrations, such as Actions, Rules, Hooks, Custom Database Connections, and Custom Social Connections, will be forced to run on Node 22. For technical resources relevant to migrating to Node 22, read [Migrate from Node 12 and 16 to Node 18](/docs/troubleshoot/product-lifecycle/past-migrations/migrate-nodejs-16-to-nodejs-18) and [Migrate from Node 18 to Node 22](/docs/troubleshoot/product-lifecycle/deprecations-and-migrations/migrate-nodejs-22). ## New Management API Scopes Required for Connection Options **Deprecated**: October 24, 2024 **End of life**: July 8, 2025 Requests to the following Management API endpoints will require the `read:connections_options` scope to view the `options` field: * [Connections > Get all connections](https://auth0.com/docs/api/management/v2/connections/get-connections) * [Connections > Get a connection](https://auth0.com/docs/api/management/v2/connections/get-connections-by-id) Requests to the following Management API endpoints will require the `update:connections_options` to modify the `options` field: * [Connections > Update a connection](https://auth0.com/docs/api/management/v2/connections/patch-connections-by-id) ## Rules and Hooks Deprecations **Deprecated**: May 16, 2023 **Read-only transition**: November 18, 2024 **End-of-life:** November 18th, 2026 After November 18th, 2026, Rules and Hooks will stop being executed and removed. On November 18, 2024, active Rules and Hooks will continue to execute, but will degrade to read-only mode. Auth0 has delayed the removal of Rules and Hooks functionality to a future date. Read-only Rules and Hooks can be turned on and off and their respective configuration values or secrets can be modified, but their source code cannot be edited via the Dashboard or Management API, including CI/CD tooling like Terraform and Auth0 Deploy CLI. If you will be unable to migrate to Actions ahead of the read-only transition, ensure that any automated CI/CD flow you have configured to deploy tenant configuration changes does not attempt to perform unsupported management operations on Rules and Hooks. For more information, read [Migrate from Rules to Actions](/docs/customize/actions/migrate/migrate-from-rules-to-actions) and [Migrate from Hooks to Actions](/docs/customize/actions/migrate/migrate-from-hooks-to-actions). ## Opt-in to WCAG 2.2 AA Compliant UI for Universal Login **Deprecated:** August 23, 2024 **End of Life:** July 31st, 2025 Auth0 will remove the ability to use the legacy, non-compliant UI for Universal Login. The new WCAG compliant version ensures that end users, including those who rely on assistive technology, can access and engage with a customer’s product or service. Read our [Universal Login Accessibility documentation](/docs/authenticate/login/auth0-universal-login) for more information. ## Learn more * [Migration Process](/docs/troubleshoot/product-lifecycle/migration-process) * [Past Migrations](/docs/troubleshoot/product-lifecycle/past-migrations)