Auth0 Home Blog Docs

April 1st Migrations / Deprecations FAQ


We have created a new Deprecation Guide to help you select the best migration path for your application(s) if you are impacted by the deprecation notice.

We have also created a Deprecation Error Reference guide to provide assistance with searching your logs for deprecation related messages as well as explanations of potential causes and resolutions for particular items.

In our previous notification, we informed you that certain endpoints (/usernamepassword/login and /ssodata) would be removed from service on April 1, 2018. This update is to notify you that the Removal of Service date for those endpoints has been extended to July 16, 2018.

We still encourage you to migrate your applications to the latest version of Lock 11 and Auth0.js 9 as soon as possible in order to ensure that your applications continue to function properly. Please refer to our migration guides for instructions on upgrading your Auth0 implementation if necessary.

What is happening?

Auth0 will be removing the set of endpoints (usernamepassword/login, /ssodata ) used by Lock.js 7, 8, 9 and 10 and auth0.js, 6, 7, 8. on April 1st 2018.

This will only affect customers that are using embedded login, If you’re currently using our Hosted Login Page, no action is needed but migrating to the latest version of Lock (11.3+) is recommended. Using our Hosted Login Page is referred to as using a Universal Login experience. Please read the differences between using Embedded Login vs Universal Login here: Universal vs Embedded Login

What does deprecated mean in this context?

Lock 7,8,9 and 10, and Auth0.js 6, 7, 8 will stop working in embedded mode on April 1st.

I’m not sure what those endpoints mean, how do I know if I’m prepared for April 1st?

Check your logs for “Deprecation Notice” warnings in the Auth0 Dashboard, if any deprecated features are being used, a “Deprecation Notice” message will show up in the “Logs” section of the dashboard.

If you see a Legacy Lock API deprecation notice, then you’re using one of the endpoints being removed on April 1st.

Then look for the Legacy Lock API toggle under your tenant’s advanced settings and turn it off. Doing so mimics the behavior you will see on April 1st, so that you can test client applications and make sure everything works as expected.

I don’t see the Legacy Lock API toggle, what can I do?

If you don’t see the toggle, the features that we are deprecating on April 1st are already off for your account and these deprecations don’t affect you.

Are Auth0’s native mobile libraries / SDKs affected? Eg iOS and Android.

Mobile SDKs usually either open a browser window and use Auth0’s hosted login page, or use a different endpoint other than the legacy endpoints we are removing, so no action is needed in this case.

How does this affect the Passwordless Lock?

Passwordless is not affected.

How does this affect the reset password functionality?

The reset password functionality is not directly affected.

Can I get an extension for the removal date?

It’s not possible to get an extension for the removal date. Lock 7,8,9 and 10, and Auth0.js 6, 7, 8 will stop working in embedded mode on April 1st.

Why are you making this change?

This change will provide better security for your customers and is in better compliance with OIDC standards.

What should I do if I’m using embedded login?

Our recommendation to customers is to use Universal Login, (the guide above explains the pros and cons in more detail). See Migrating from Embedded to Universal here: Migrating to Universal Login

Is it possible to serve the Hosted Login Page in my own Domain?

Custom domains is now available for tenants marked as development or production that have a developer, developer pro or enterprise subscription. You can find our Custom Domain documentation here:

Is there any other option to migrate to?

If you don’t want to use the Hosted Login Page, you can use Lock 11.3+ in embedded mode. Please take into consideration that it uses Cross Origin authentication which uses Third Party cookies. There might be cases when these cookies are disabled in some browsers which may prevent Lock 11 to work properly in embedded mode. You can find the browser testing matrix here.

To avoid the need to use Third Party cookies, you would need to configure a custom domain in your tenant. It should have the same top level domain as the application (i.e. for the app and for the custom domain).

Custom Domains are only available on developer, developer pro and enterprise subscriptions. If you have a Free account, it’s recommended that you use the Hosted Login Page instead.

Lock v10 to v11 Migration Guide

Auth0.js v8 to v9 Migration Guide

Does this mean that username and password login will no longer be available at all after April 1st?

Username and password login will continue to work through a new endpoint of our Authentication API.

What happens if I am using SSO?

Lock 11 in embedded form works with SSO if you have a Custom Domain and all the sites that participate in the transaction are in the same top level domain. For the rest of the scenarios you need to use Universal Login (the hosted login page) with our without custom domains.

What will happen to the rest of the endpoints that were mentioned on the December 26th notification?

We have delayed those deprecations until further notice. For now, we are only going to deprecate the usernamepassword/login and the ssodata endpoints of the Authentication API when used by Auth0.js and Lock in embedded mode.

Roadmap Changes: What about passwordless ?
Public Disclosure FAQ




I don’t seem to have received a notification of this deprecation although I do regularly get auth0 email updates and am an admin for our auth0 account. There is nothing in my email spam folder.

Is there a way for me to confirm that I am set up to be receiving critical notifications like this?




I don’t believe there’s a way for you to opt-out of operational emails so if the email address is an administrator it will receive notifications that are sent by email (have in mind that not all notifications are by email, but the Auth0 Roadmap and Deprecations sent a few months back was by email). You should also be able to access notification on demand by going to


Ok Thanks. I will keep an eye on



Is this affecting the WordPress plugin already?

I’m getting 404 on

Just trying to setup a new WordPress site with Auth0

Have raised ticket: 37828


So will auth0.popup.loginWithCredentials continue to work or is that going to be deprecated as well?


More information can be found in the Updated Deprecation topic


We have provided updated information around the deprecation