We are an Enterprise customer and really keen to confirm the status of few exciting auth0 features and a question around billing; the questions are:
The “Native Passkeys for Mobile Applications” docs page no longer shows an Early Access banner — are native passkeys for iOS/Android now GA?
The My Account API docs now show v1.0 as Generally Available — is it now GA? In short, are both Native Passkeys for mobile and the My Account API GA?
If a My Account API access token (audience /me/) is obtained via the Authorization Code Flow with PKCE, is that counted toward the M2M token quota or toward MAU?
The Authentication Assurance feature for the My Account API is listed as Early Access. If we obtain a My Account API token via the Authorization Code Flow with PKCE, is that Early Access feature involved in the token issuance process when 2FA is disabled in the default policy?
I can confirm that both Native Passkeys for Mobile Applications and the My Account API are now Generally Available (GA) and fully supported for production use.
Regarding billing, utilizing the Authorization Code Flow with PKCE to get a My Account API token counts entirely toward your MAU (Monthly Active Users), not your M2M quota. Finally, if the Authentication Assurance “Require 2FA” default policy is disabled, that specific EA feature is completely bypassed during token issuance.
To answer your questions directly:
The “Native Passkeys for Mobile Applications” docs page no longer shows an Early Access banner — are native passkeys for iOS/Android now GA?
The My Account API docs now show v1.0 as Generally Available — is it now GA? In short, are both Native Passkeys for mobile and the My Account API GA?
Native Passkeys for Mobile: Yes, this feature is officially GA. You can safely deploy this to production without the risks associated with EA features (such as sudden deprecation or breaking changes without notice).
My Account API: Yes, version 1.0 of the My Account API is now GA. The endpoints and core capabilities for self-service credential management are locked in and supported under standard enterprise SLAs.
If a My Account API access token (audience /me/) is obtained via the Authorization Code Flow with PKCE, is that counted toward the M2M token quota or toward MAU?
Tokens minted for the My Account API (audience https://{your-tenant}/me/) via the Authorization Code Flow with PKCE are strictly tied to a human user’s interactive session.
Because a user is authenticating, this counts toward your MAU (Monthly Active Users).
Machine-to-Machine (M2M) billing quotas are only consumed when a token is requested using the Client Credentials Grant (where a machine authenticates itself using a Client ID and Secret). Furthermore, Auth0 explicitly restricts the My Account API from being accessed via the Client Credentials flow because the /me/ endpoints strictly require a user context.
The Authentication Assurance feature for the My Account API is listed as Early Access. If we obtain a My Account API token via the Authorization Code Flow with PKCE, is that Early Access feature involved in the token issuance process when 2FA is disabled in the default policy?
While the My Account API itself is GA, the Authentication Assurance (Default Policy) feature attached to it remains in Early Access.
This feature is designed to enforce strict Step-Up Authentication (requiring a user to pass 2FA within the last 15 minutes to manage their credentials). If you have the “Require 2FA” toggle disabled in your My Account API settings, the Authentication Assurance engine is effectively inactive. It will not interfere with, modify, or block the token issuance process during your Auth Code + PKCE flow.