August 27 Auth0 Community Ask Me Anything: Actions

We’re excited to invite you to our next online Auth0 Community Ask Me Anything (AMA) on August 27, 2025, with Gaston Danilo Asis Sanchez, Senior Technical Product Manager, where we will dive into Auth0 Actions.

This is your opportunity to get the inside scoop on how Actions can supercharge your authentication flow. Learn how the latest features, like Actions Transaction Metadata and Actions Types can help you create more flexible and powerful identity experiences. Whether you’re a developer looking to streamline your workflows or a product owner aiming for a more robust and adaptable system, this session will show you how to leverage Actions to deliver a seamless user journey.

How it Works

From August 11 to August 26, 2025, Auth0 developers, customers, and community members are invited to submit their questions about Actions right here in the Auth0 Community. Just click “Reply” on this dedicated thread. Then, on August 27, from 9:00 AM to 11:00 AM PST, our product expert will be online and actively responding with detailed written answers to all questions submitted during the two-week period.

As a bonus, everyone who participates will earn points and a special community badge!

What You’ll Learn

What Actions capability is, how it works, and why it matters
How to use new features like Actions Transaction Metadata to enhance your authentication flows and Actions Types to improve your developer experience.
A look into the future roadmap of what’s coming, including Actions Modules
Insights into the key benefits of the latest updates and how they can help you solve common identity challenges
Answers to your specific technical or strategic implementation questions

Submit your questions by clicking the “Reply” button below anytime between today, August 11, and August 26, 2025.

Featured Expert

Gaston Danilo Asis Sanchez, Senior Technical Product Manager

Profile (1)1920×1920 189 KB

Gaston is a Product Manager at Auth0, focusing on Auth0 Actions, Webtasks, and Auth0 Forms. His journey at Auth0 began four years ago in Professional Services, where he guided numerous customers through their integration processes. He also spent two years working for an Auth0 customer, assisting with the integration of their various product units.

What are the documented RTO and RPO values for public cloud tenants, and are there any options — like dual-region active-active setups — to reduce or eliminate downtime during regional failures?

Are there any plans to enable Action Log streaming to i.e Grafana/ELK?

We appreciate your participation in the AMA thread by posting a question!
Your AMA Participant badge will be awarded once the event concludes-stay tuned!

Thanks for the session!

Are there plans to add a Post Delete User trigger/Action so we can automatically run cleanups when a user is deleted?

Are there plans to support social/other non-database connections for Pre User Registration and other triggers?

Today, Actions Transaction Metadata is limited to a post-login trigger only. Are there plans to support other triggers?

How can I use Auth0 Actions to conditionally control passkey progressive enrollment based on user metadata fields in my Username-Password-Authentication database connection? In my Database Connections, I enable passkeys and enable Progressive Enrollment. We use universal login. Here is my logic for actions. However, I do not know how to interrupt and resume the passkey enrollment based on user metadata fields.

Code:
exports.onExecutePostLogin = async (event, api) => {
const DEBUG = true;
console.log(‘Here’);
console.log(event.user);
if (event.user.user_metadata.passkeyOptIn) {
DEBUG ? console.logUser ${event.user.user_id} has passkey opt in enabled ) : null;
try {
// Set up the connection to the management API (act as the management API client).
const ManagementClient = require(‘auth0’).ManagementClient;
const management = new ManagementClient({
domain: event.secrets.domain,
clientId: event.secrets.clientId,
clientSecret: event.secrets.clientSecret,
});
// Get all authentication methods for the user
// Endpoint: GET /api/v2/users/{id}/authentication-methods
const authMethodsResponse = await management.users.getAuthenticationMethods({ id: event.user.user_id });
//console.log(‘authMethods:’, authMethodsResponse);
// Filter only passkey authentication methods
const passkeys = Array.isArray(authMethodsResponse.data)
? authMethodsResponse.data.filter(method => method.type === ‘passkey’)
: ;
console.log(‘passkeys:’, passkeys);
if (!passkeys.length) {
// You can trigger something here, e.g., set a flag or send a prompt.
if (DEBUG) {
console.logUser ${event.user.user_id} does NOT have a passkey enrolled. );
}
// Create authentication methods
I do not know how to resume passkey enrollment.

}catch (e) {
DEBUG ? console.log(e) : null;
// Rethrow the exception so Auth0 handles it and the error shows up at that level.
throw e
}
}
};

When should we prefer Actions Cache vs. Transaction Metadata? Thank you!

We appreciate your participation in the AMA thread by posting a question!
Your AMA Participant badge will be awarded once the event concludes-stay tuned!

We appreciate your participation in the AMA thread by posting a question!
Your AMA Participant badge will be awarded once the event concludes-stay tuned!

What are the best practices for ensuring performance and reliability when implementing a large number of Actions?

Is there a way within Auth0 Actions to force a re-login?

For example, in a post-login Action, if we detect that a user has logged in without an organization context but actually belongs to one (or multiple), can we redirect them to initiate a new login with the correct organization affiliation?

In cases where the user belongs to multiple organizations, we might want to prompt them to choose which one to log in with, would this be possible using Auth0 forms?

If not possible through built in functionality, would redirecting from the action to a custom URL in our app where we handle the logic and perform a silent login or show a selection UI be a possibility?

Also, is it acceptable to interrupt the Action flow in this way—i.e., not return from the Action but instead trigger a new login flow?

Do note that I know about the “Prompt for Credentials” Login Experience for allowing both personal and organizational logins. But want to avoid giving the user an option if they are actually part of an organization, hence the question of doing this through an action.

We appreciate your participation in the AMA thread by posting a question!
Your AMA Participant badge will be awarded once the event concludes-stay tuned!

Hey Gastón (and Auth0 team) — thanks for doing this AMA! I’ve been using Auth0 for 5+ years and Actions since GA. I’m excited about Transaction Metadata and Action Types. A few real-world questions:

1) Passing data between Actions & redirects

• How does Transaction Metadata behave across the whole login transaction? Any size limits or gotchas (especially with Redirect Actions)?

• Could you share what made this capability tricky to ship (I imagine many of us have had to implement creative solutions to work around this missing feature over the years) and how you envision it being used for multi-step flows?

2) Developer experience: Action Types, shared code & contracts

• What exactly are Action Types and how do they improve DX?

• Are Actions Modules on the roadmap for sharing reusable utility code across multiple actions?

• Will you publish official TypeScript types/schemas for the event/API objects (and versioning guarantees) so we can code against a stable contract? It can be difficult to code against action events with so many fields marked as optional without clear explanations of when they are present.

3) Observability & testing

• Any plans to surface the Action Test Runner metrics in tenant logs (e.g., total_request_duration_ms, action_duration_ms, external_call_duration_ms, boot_duration_ms)? Super helpful for prod troubleshooting. I know a smaller subset is available in the web console logs but they do not get exported in log streams.

• Could you provide richer testing templates (login, signup, redirect flows, MFA) and a local runner that mirrors production as closely as possible? Without a well-defined event type/schema it relies on us either making assumptions of what the event will be or console logging the event in various scenarios and creating our own from that. Or implementing extensive e2e test coverage.

• Are there any plans to add risk signals like risk assessment to refresh tokens?

4) Timeouts & custom errors

• What’s your recommended pattern to fail gracefully before timeouts (e.g., early api.access.deny)?

• Is there any chance of an “on-timeout” hook or similar so it can be handled more gracefully than action timeout errors returned to the user?

• Can we return custom error responses using api.access.deny from Actions instead of defaulting to opaque 500s with custom messages? Previously this was not possible, and we had to implement workarounds. Denying access is not really a 500 internal server error response?

5) Fresh sign-in vs. silent reauth

• Inside post-login, what’s the reliable way to detect interactive login (entered OTP/password etc) vs session reuse / prompt=none?

• Which event fields should we key off (e.g., event.transaction, event.authentication.methods, session age)? One we’ve experimented with is presence of verification code in query params for passwordless logins, but it would be good to have a more reliable method.

6) MFA & step-up (especially on mobile)

• What’s the best way for an Action to know the user just completed/enrolled in MFA? and the details of that when triggered through actions. This is useful information to know from a security context.

• Are there any plans to implement more MFA specific actions?

• For native apps that rely on refresh tokens, what’s your recommended approach to step-up MFA for sensitive actions (since redirects are not possible with refresh tokens)? Any planned improvements here?

• Is there a way to know whether the original session/RT was MFA-authenticated, or plans to expose a durable signal/claim so we can enforce re-MFA based on risk or time? This seems to get lost for refresh tokens?

7) Enterprise / federated SSO

• Are there plans to let Actions (or similar hooks) run during enterprise SAML/OIDC federation to map/transform attributes before user creation/update—and to give us more visibility into those flows. I know Actions run after the SSO happens but I’m curious about specifically when it’s happening.

8) Device identification

• Do you plan to offer a built-in device identifier or first-party fingerprinting guidance that we can safely use in Actions (versus rolling our own or relying on third parties)

9) How granular should Actions be?

• Any performance/maintainability guidance on many small Actions vs. a few larger ones? Where’s the sweet spot?

Anything exciting you’re able to share about the future direction of Actions or new features in the works?

Thanks again for doing this AMA, excited to see new features and improvements to Actions and look forward to leveraging these new features.

RTO is 15 minutes, RPO is < 1 minute, there isn’t a support region active-active yet, only active-failover.

Some useful blog post:

• Multi-Subscriber Deployment on Converged Architecture

There has been feedback from a few customers that have use cases where logs should be sent to external services from the Actions code.

Customers normally implement their own streams from those Actions using HTTP requests, which is understandably a pain due to additional complexity, code repetition, potential performance, errors, and maintenance issues.

There may be some improvement to that combining the newest Actions Transaction Metadata with the upcoming Actions Modules. Which would help reduce the complexity, code repetition, maintenance issues, by defining Modules with functions that can be reused across Actions, and using Transaction Metadata and Cache to store and reuse some values.

Performance issues and errors would still be a problem due to the nature of the communication.

All that being said, there is some potential for exploring the idea of connecting the Actions to be able to communicate through some stream to an external service.

Would you mind posting your specific use case? Which could serve as evidence for future ideating

Although there were internal discussions in the past about having a separate Post Delete User Trigger, that use case can now be covered with Event Streams configured for User Deleted event type.

There are plans to connect Actions as a destination for Event Streams, which would allow developers to create an Event Stream configured for certain event types and bind an Action which would run to process the events in a similar way to the current Webhooks and AWS Eventbridge destinations.

Useful docs:

• https://auth0.com/docs/customize/events