May 2025 in Auth0: Async Auth, Real-Time Streams, and Custom Everything

May brought a wave of powerful new capabilities for you: async authentication flows with CIBA, fine-grained M2M quotas for secure API usage, expanded event streaming for automation, and even more control over the Universal Login experience, including WebAuthn and biometrics.

If you’re building with Auth0, this month’s releases give you more control over UX, security, and system integrations with less friction.

Let’s Dig In

Client-Initiated Backchannel Authentication (CIBA) – Now GA

The CIBA flow is now Generally Available, and it's a game changer for devs building across devices, services, and roles.

It enables asynchronous authentication where:

• One device initiates the request (e.g., a smart TV, AI agent, CLI tool)
• Another device authenticates the user (typically a mobile app with Guardian SDK)

Highlights:

• Works great for headless UIs, customer service flows, or AI agents needing human approval
• Built on Rich Authorization Requests (RFC 9396)
• Auth can happen off-screen, out-of-band, or in-context

Explore CIBA in the docs.

Auth0 CLI: More UX control, better testing, new powers

The latest CLI update gives developers even more hands-on control over login, org testing, and tenant config.

New capabilities:

• Customize Universal Login from the CLI
• Block/unblock users programmatically
• Use test login with Organizations
• Better logs + user management commands
• Bug fixes + smoother workflows

Check the CLI reference.

Event Streams for extensibility – now in Early Access

Already loved for user lifecycle events, Event Streams now support Extensibility Events.

This means you can:

• Subscribe to changes in users and organizations
• Route real-time events to Webhooks or EventBridge
• Build automation and observability into your dev workflow

Use this to sync downstream systems, trigger CI/CD pipelines, or log important changes without polling the Management API.

Set up your stream.

Universal Login: WebAuthn, Biometrics, and Logout – now customizable

The Advanced Customizations for Universal Login (ACUL) SDK just leveled up.

You can now build client-rendered, pixel-perfect versions of:

• MFA with WebAuthn (roaming + platform)
• Biometric flows
• Reset password screens
• Logout states (completed, error, aborted)

Tooling support:

• ACUL SDK
• Auth0 CLI
• Deploy CLI
• Terraform Provider

No more default templates - your login experience, your UI, your rules.

More cool features we have shipped to improve your experience:

Universal Login language selector for end users

Tired of relying on browser headers or ui_locales? You can now let users choose their preferred language directly on Universal Login pages using Custom Prompts.

Fine-Grained M2M Token Quotas (now in Early Access)

Allows you to set precise hourly and daily limits on machine-to-machine token issuance at the app or organization level. This helps prevent API abuse from misconfigured clients, returns automatic 429 responses when limits are hit, and provides full visibility through logs and response headers. No external rate limiting or token caching hacks required.

Native Sign-in with Google for Android

If you’re building native Android apps, you can now use the Android Credential Manager’s Sign in with Google to let users authenticate seamlessly using their existing Google sessions - no passwords, no extra prompts.

Community and Events

Where we were in May

May took us around the world—from live webinars to some of the most exciting developer and API conferences.

• Qiita Webinar with Twilio — Daizen Ikehara shared strategies for building scalable and secure SaaS apps tailored for the Japanese developer ecosystem.
• Infobip Shift – Carla Urrea spoke about “Securing AI: A Journey Through Access Control Systems.”
• API Days New York – Ramona Schwering talked about AI and security
• Dublin Tech Summit – Deepu Sasidharan talked about how OAuth and OpenFGA Can Keep Your AI Agents from Going Rogue!

Where we’ll be in June

June is shaping up to be a big month for developer events, and we’re showing up in full force across frontend, AI, open source, and cloud communities. If you’re attending any of these, come say hi, catch a talk, or grab some Auth0 swag!

dev_day(25) (June 18th) - dev_day(25): Auth for Agents is a one-day, free, virtual crash course on auth for AI agents and humans with Auth0. RSVP today to join us on June 18th.

• Frontend Nation 2025 (June 3rd) – Ramona Schwering will share tips on building secure, user-friendly frontends.
• AI Engineering World's Fair (June 3rd) – Exploring the future of AI-powered software and secure identity in agent workflows.
• AWS Summit Hamburg (June 5th) – Juan Cruz Martinez joins to discuss secure multi-tenant patterns for AWS builders.
• RenderATL (June 11th) – Ramona Schwering and Jessica Quick will be alongside Netlify at the booth, while Shawn Meyer will be on a panel on AI.
• React Summit (June 13th) - Ramona returns to the stage with a developer-first approach to modern identity in React apps.
• VLCTechFest (June 14th) - Carla Urrea joins the dev community in Valencia to connect on open source and identity.
• Open Source Summit North America (June 23rd) - Carla shares insights on securing community-led software.
• AWS Summit Japan (June 25th) - Daizen Ikehara will present best practices for large-scale identity in the public cloud.
• Vercel Ship (June 25th) - Juan Cruz Martinez will be on-site with a spotlight on edge-first auth patterns for AI apps.

Planning to attend? Reach out! We’d love to meet you and hear what you’re building.

Expect talks, demos, and plenty of real-world tips on building secure, AI-aware, and scalable identity experiences.

That’s it for May! We’ll be back next month with more dev-first updates.

Until then:

Stay secure.
Keep shipping.
We’re here if you need us.