Overview
The end-of-life date for the unwarranted authentication session invalidation after Management API user updates is August 19, 2025. After this date, the deprecated behavior will progressively cease to be available. The process to remove access to the deprecated behavior has the following phases:
- August 20, 2025 - Remove access for tenants tagged as development or staging tenants. The transition occurs according to the tenant’s environment tag when changes roll out for each environment. Therefore, changing a development tenant to production after the rollout phase is complete will not reinstate the deprecated behavior.
- (pending date) - Remove access for outstanding tenants, including production tenants.
The dates above mark the day the rollout for a particular phase starts; each phase may take several days to complete, so different tenants in the same phase may not observe the change simultaneously. This article will receive updates as information related to the complete timeline for enforcing the new behavior becomes available.
Once the deprecated behavior is unavailable in a given tenant, user update (PATCH - /api/v2/users/{id}) requests setting the email or email_verified attributes with an unchanged value or the email_verified attribute with a true value will NOT trigger the invalidation of authenticated sessions for database connection users.
It is relevant to note that, for database connection users, update requests that change an existing email attribute to a different value or transition the email_verified attribute from true to false will continue to trigger session invalidation.
Applies To
- Management API
- Users
- End of Life (EOL)
Cause
The changes to the behavior of the user update endpoint mentioned above are expected and allow for consistent behavior between setting an email as verified through the Management API and the built-in email verification flows provided by the service. In addition, it improves the overall end-user experience by avoiding session invalidation in situations that do not require it, such as setting either the email or email_verified attributes to unchanged values.
On February 11, 2025, Auth0 announced the deprecation of the previous service behavior. The information provided in the original announcement is available in the respective Dashboard and Support Center notification.
Solution
The behavior change improves on the previous behavior, and the semantics of the user update requests will not change. Therefore, the change should be seamless and generally not require any implementation change.
However, integrations that specifically perform user update requests with unchanged values solely to trigger user session invalidation must use other methods to achieve the requirement—for example, using the user-specific session management endpoints or forcing a password change.