Overview
This article clarifies the behavior associated with the Unwarranted session removal after Management API user updates migration toggle found in Auth0 Tenant Settings (Advanced).
This toggle was introduced as part of a change by Auth0 aimed at enhancing platform stability and user experience by reducing unnecessary session invalidations when email-related attributes of a user (specifically for database connections) are updated via the Management API.
This guide explains what happens when this migration toggle is turned OFF, which is the recommended state to align with the updated behavior.
Applies To
- Auth0 Tenants
- User Profiles
- Database Connections
Cause
Previously, when specific user profile attributes related to email (such as the email
address itself or the email_verified
status) were updated via the Management API for database connection users, Auth0 would often invalidate all active authentication sessions for that user. This could lead to a disruptive user experience, as users would be forced to log in again even for minor administrative updates to their email attributes.
To improve user experience and overall platform stability by avoiding these “unwarranted” session invalidations, Auth0 introduced a new behavior, controlled by this migration toggle. The goal is to ensure sessions are only invalidated when strictly necessary for security.
Solution
Auth0 recommends turning OFF the Unwarranted session removal after Management API user updates toggle before the specified end-of-life date for the older behavior. When this toggle is set to OFF (disabled), the following behavior takes effect regarding session handling after email related updates for database connection users:
- Sessions Remain Valid: The primary change is that active user sessions will generally no longer be automatically invalidated when an email address is updated. This means users are less likely to be unexpectedly logged out of their active sessions simply because an administrator or an automated process changed their email address or verification status via the Management API. They can continue their tasks without interruption from these specific types of updates.
- Email Status Still Changes: If a user’s email address changes to a new value, their email status in Auth0 will still be correctly marked as ‘unverified’. This aspect of the behavior remains consistent and ensures that the new email address requires confirmation.
- Verification Still Required: The user must complete the email verification process for their new email address to regain a ‘verified’ status in their Auth0 profile.
Turning this toggle OFF means that Auth0 will adopt the new behavior of reducing instances of automatic session termination for specific email-related updates, while still maintaining the necessary security step of requiring a new email address to be verified. This is part of Auth0’s efforts to enhance platform stability and security. Turning off the toggle before the end-of-life date mentioned in the original communication proactively aligns with this updated, recommended behavior.
For the precise conditions under which sessions are no longer invalidated, please refer to the original “Action Required: Invalidation of user sessions after email related updates” communication sent by Auth0 or the official deprecation notice: Unwarranted Session Removal After Management API User Updates