Auth0 Home Blog Docs

Strange behavior after disabling Legacy Lock API switch



We use a customized hosted login page to do our authentication, to be prepared for the deprecation starting from the 1st of April we tried to enable the Legacy Lock API switch since we migrated to Lock v11.3.

When I enable that switch I get the most strange behavior, none of the authentications work anymore I always get the message “Wrong username or password”. What is even more stranger is that when I do a sign up I can fill out the form, in the dashboard everything seems fine but the view goes from the signup form directly to the login form with the message “Wrong credentials.”

First I thought that it was due to our setup or our customization so I tried to create a new tennant but these switches are not present in the preferences there, they are only available on older tennants. I was able to reproduce it becuase we have an older tennant with defaults which we don’t use anymore and I just enabled the switch and tried these use cases and I got the same results.

Anyone have similar issues or any idea of how we can resolve these issues asap?


There was a similar issue where disabling the Legacy Lock API toggle resulted the tokeninfo endpoint not working, but we’ve since resolved this. I haven’t seen any other similar issues.

Could you please share a HAR file (please remove any sensitive details such as passwords) so we can examine the requests in more detail and see where this problem occurs?

Please upload it to a cloud storage service (e.g. Google drive), and share the link with us. Feel free to restrict access to the link for only email addresses using


I’ve also added a video demonstrating the issue and added it to the folder.


Having the same issue. it seems odd that using the universal login would be using deprecated api calls but the error message suggests it’s a credential issue. There is also no entry in the log when this occurs.


this is the only thing i see in the har file.
{“statusCode”:403,“description”:“Invalid state”,“name”:“AnomalyDetected”,“code”:“access_denied”}


I get that as well…


it looks like your hosted page using lock 11.3 is still calling usernamepassword/login. What should it be calling? and what is causing it to use a deprecated endpoint?


hey @jgeerts are you calling /login?client= or /authorize?client_id=


using the login endpoint was causing this issue for us. Switching to /authorize fixed it for us. good luck.


You are right, I get this if I go to the login endpoint directly which worked before but doesn’t seems to work anymore. Thank you!


This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.