LoginSign Up
← Back to all sparks
Auth0 logo

Auth0

INFRA · APISDEVOPS
Velocity8.8

Authentication and authorization platform

auth0.com

Auth0 ships Auth for MCP GA and starts unbundling the rest of identity for AI agents.

mcp authai agent identitytoken exchangesession-bound tokensevent streamsdeveloper ergonomics
Current state
Auth0 just made Auth for MCP generally available — a bundle of CIMD client registration, On-Behalf-Of token exchange, and OAuth resource-parameter compatibility purpose-built for AI agents talking to MCP servers. Around it, the team is reworking core identity primitives: non-unique emails reached GA, online refresh tokens entered beta with session binding, and the Account API now supports step-up auth for sensitive scopes. Smaller polish items (CMD+K palette, Resend GA, signing algorithm coverage) round out the release stream.
Where it's heading
Auth0 is repositioning from a B2C/B2B login provider to an authorization layer for agent ecosystems. The MCP work is the centerpiece, but the supporting moves — session-bound refresh tokens, step-up auth on the Account API, non-unique emails — all point at use cases where users, agents, and resources have more complex relationships than classic OIDC was designed for. Outbound event streams to AWS EventBridge and Okta Workflows extend the same direction outward.
Prediction
Expect Auth for MCP to gain a managed catalog of pre-vetted MCP clients and deeper Actions-based policy hooks for OBO token exchange, plus online refresh tokens reaching GA within a quarter.

Recent moves

  1. 2d ago

    Suspicious IP Throttling for Custom Token Exchange

    Adds a Dashboard surface to configure Suspicious IP Throttling specifically for Custom Token Exchange. Extends an existing attack-protection knob to cover the token-exchange path that AI-agent flows depend on.

  2. 8d ago

    Non-Unique Emails is Now Generally Available

    Non-Unique Emails reaches GA on new database connections, letting multiple accounts share an email when a username or phone serves as the primary identifier. Removes a long-standing constraint for households and small-business multi-account scenarios.

  3. 9d ago

    Secure your Account API with ACR EA

    Account API token issuance can now be gated by step-up authentication on sensitive scopes via Actions-driven policy or a secure-by-default toggle. Fills a gap for self-service account management that previously required custom guarding.

  4. 10d ago

    Online Refresh Tokens is now in Beta

    Online refresh tokens go to beta — tokens are bound to the originating session, so revoking the session invalidates all of them. Targets SPAs hit by browser cookie restrictions where session continuity has been fragile.

  5. 15d ago

    Fix for Empty login_hint Parameter on External Identity Providers Requests

    Stops sending an empty login_hint query parameter to external identity providers that strictly validate request params. Compatibility fix; the workaround override can be removed once the rollout lands.

  6. 15d ago

    Resend Email Provider is now Generally Available

    Resend joins Auth0's out-of-the-box email provider list at GA, alongside the existing integrations. A small but real addition for developer-leaning teams already on Resend's stack; fits the pattern of steadily widening platform integration breadth while the larger architectural bets play out.