I recently received an End-of-Life Notice: “Requests Without SNI will Fail” email for my tenant.
The message says my tenant received at least one non-compliant HTTPS request omitting the TLS SNI extension, and that such requests will fail once enforcement begins in November 2025.
Questions:
How can I determine which API calls or clients are omitting SNI?
Is there any way to view these non-SNI requests in Auth0 logs or via another diagnostic tool?
Could such requests be generated by bots or integrations like Tawk.to?
Do I need to take any configuration action within Auth0 (custom domains, proxies, etc.) to stay compliant?
Any specific guidance or diagnostic approach to confirm whether this is coming from my own system vs. external automated traffic would be really helpful.
This is definitely the most important step to consider in your case. The most common reasons of requests without SNI would include:
Applications running on older software runtimes that lack SNI support or require non-default configuration, for example, older Java or Python runtime versions.
Traffic that flows through proxies that intercept/terminate TLS connections, part of a self-managed certificate custom domain
It is possible that some requests may originate from web crawlers or bots, as such requests sometimes do not include SNI.
Auth0 logs do not contain the information that you require and unfortunately we are not able to provide detailed information publicly in the community forum on the non-compliant requests since they contain private information about your tenant, so for that a support ticket would have to be raised with our Developer Support Team. However you can still use tools such as openssl to test your current environment and see if non-SNI compliant requests are still being made, as described in this KB Article - Change Notice: Mandatory Use of SNI for HTTPS Requests or Network Analysis Tools such as Wireshark that should come in quite handy in this case. I would recommend checking out the above mentioned article, as well as this one - End-of-Life Rollout for Mandatory Use of SNI for HTTPS Requests for insightful information on this matter.