End-of-Life Rollout for Unprocessed Organization Parameter in Client Credentials

Overview

The Auth0 service allowed passing an organization parameter in client credentials exchanges without triggering additional validation when processing the request. More specifically, the organization parameter would be treated as an unrecognized parameter, thus allowing any value to be present.

After June 12, 2025, the service will roll out a change to ensure that requests for client credentials exchanges, including a parameter named organization , are handled following the rules of Machine-to-Machine (M2M) Access for Organizations across all tenants.

The above implies that the request may fail if it does not meet the requirements for the corresponding feature. For example, it will fail if the tenant subscription is not entitled to use the feature or if the value contained within the organization parameter does not correspond to a valid organization identifier associated with the tenant.

Applies To

  • End of Life (EOL)
  • Organizations
  • Machine-to-Machine (M2M) Access

Cause

To provide the new functionality associated with Machine-to-Machine access for Organizations in a way that is consistent with other organization-related functionality across the product, the organization parameter in client credentials had to be considered a built-in service parameter.

Tenants with client credentials requests dependent on the original behavior received notifications ahead of the change to migrate away from the deprecated behavior.

Solution

Client credentials requests including an organization parameter and expecting that the service does not perform any validation of said parameter will need to update their implementation. For example, either:

  • Use the organization parameter in alignment with the requirements for the Machine-to-Machine (M2M) Access for Organizations feature.
  • Rename the parameter to ensure the service continues treating it as unrecognized while allowing its value to surface to custom extensibility.
  • Stop including the parameter in the request.