Auth0 Home Blog Docs

Upgrade reminder / changes to deprecation roadmap



This a follow-up to our “Auth0 Roadmap and Deprecations” notification from late December 2017, to remind you of the potential need to upgrade your applications and also to inform you of changes in some of our announced endpoint deprecations.

As we previously notified customers, we are deprecating certain APIs (usernamepassword/login, /ssodata) used by Lock.js 7, 8, 9 and 10 and and auth0.js, 6, 7, 8.

If you’re currently using our Hosted Login Page, no action is needed from you. Otherwise, if you embed Lock or auth0.js in your applications, you should update them before April 1, 2018.

How to Upgrade to Lock 11 & Auth0.js 9

Listed below are links to a webinar, documents and videos with further details and guidance on the upgrade process to Lock 11 and Auth0.js 9.

Change in Plans for Other Deprecations

In our roadmap notification in late December, we also announced the planned deprecation of the following endpoints:

  • /tokeninfo
  • /delegation
  • /oauth/ro
  • /oauth/access_token
  • Usage of id_token on Management API

These endpoints are proprietary, non-standards based solutions to authentication and identity management. It has been our intention to encourage the adoption of standards-based solutions and reduce or eliminate the need for proprietary protocols, and this led to our plans for these announced deprecations.

However, based on customer feedback, we have adjusted our plans and will continue to maintain and support the above existing proprietary endpoints. We will also publish new guidance on the most effective ways to transition your applications to standards-based protocols. In the event that we need to make security enhancements to any of these legacy endpoints, we will announce timeframes and guidelines for any required changes at that time.

If you have any questions about the above, please post your question in the “Migrations / Deprecations” section of the Auth0 Community site. Thank you for your continuing partnership with Auth0.

Chris Spiek
Head of Product


Will auth0.js 8 continue to work for customised hosted login pages, as per the current recommendation? I’m using webAuth.redirect.loginWithCredentials.


If you only use Auth0.js v8 or Lock 10 in your Hosted Login Page, you don’t need to upgrade.


If you only use Auth0.js v8 or Lock 10 in your Hosted Login Page, you don’t need to upgrade.


I’m just a bit worried as the current Auth0.js v8 code I have is definitely calling /usernamepassword/login. But if you say so… :slight_smile:


Ah, I think I get it. Those APIs will remain available to hosted login pages, but not externally?


Yes, those APIs will remain available within the hosted login page. However, if you’re using webAuth.redirect.loginWithCredentials from Auth0.js v8 from your app, the /usernamepassword/login will not be available. Our recommendation in that case if to migrate to the latest v9.

You can always test it by disabling the legacy APIs, as shown here:


Thanks for the confirmation :slight_smile:


The “UPGRADE REMINDER AND CHANGES TO DEPRECATION ROADMAP” notification from Auth0 has conflicting info with, which still indicates that the ‘tokeninfo’ endpoint will be deprecated.

Is the notification inaccurate or the migration page outdated? The page should be updated to avoid confusion if it’s outdated.


The notification is accurate. Looks like the migration page needs to be updated, I’ll touch base with our content team, thanks for pointing this out!





We’re utilizing the Auth0 WordPress plugin. Does the latest version (3.5.2) have the latest updates for this?


Yes, everything should have been addressed as of version 3.5.0.


We have upgraded to Lock11 per the migration documentation and now the “Last time you logged in” functionality no longer works. The document states:

"Lock 11 will never show the Last time you logged in with window when using the Authorization Code Flow (that is, when specifying response_type=‘code’). It will always prompt for credentials.

The Last time you logged in with window will also never do a redirect, even when the redirect option is set to true. Lock11 still emits the authenticated event and you should subscribe to that event to get the authentication result.

If you want to avoid showing the Lock dialog when there’s an existing session in the server, you can use Auth0.js’s checkSession() function."

We are not using Auth0.js. Can you give an example of how to use the authenticated event that is referenced above to achieve this same functionality?