Auth0 client can authenticate to another tenant??

In my company, we have 3 tenants, one for each environment (dev, stage, prod).

The auth URL for the tenants are like, etc.

We just discovered that we can send password grant requests to, with a client ID from the dev tenant. How is this possible??? Shouldn’t Auth0 check that there’s no such client ID in the prod tenant, and reject the request?

Decoding the JWT token, we see that iss is correctly set to, so it is issued by the correct tenant. So it is just weird that I can use one tenant’s URL to login with another tenant’s client.

Is this a feature of Auth0? Is this behaviour documented anywhere?


Sounds like the same issue we’ve encountered here:

1 Like