Change of behavior to non-deprecated API with Legacy Lock API deprecation

Hi pals!

We had a bit of a fire drill this morning when the Legacy Lock API was disabled on our tenant this morning. We use auth0-js v9, custom domains, and an embedded authentication scheme so we thought we were all set to go after the Legacy Lock API was deprecated. It turned out that wasn’t the case.

Here’s what we are seeing:

Ok. We’ve dug into this a bit more. This looks like what is going on:

  1. auth0-js sends an HTTP OPTIONS request to We receive a 200 OK response to this request
  2. However, the response does not include the Access-Control-Allow-Origin
  3. Our client won’t POST to without this header

In the logs we see:

Just for kicks, I flipped the “Legacy Lock API” switch to “on” and then our application started working. The same CORS requests are now successful:

We didn’t see anything in the docs that said that any changes were going to hit the /co/authenticate endpoint. We thought we were save if we were using auth0-js v9. Were these changes expected on your side? Is there some other API method we should be using to authenticate using custom domains and embedded login?



i have exactly the same problem… where did you find this switch?