Tenant Access Control List
Tenant Access Control List (ACL) allows you to manage traffic to your Auth0 services with configurable rules. It helps you protect your tenant and conserve your rate limits against potential threats, such as denial-of-service (DoS) attacks, and ensures that only legitimate users access your applications.
How it works
When your tenant or Management API receives a request, Tenant ACL processes that request and then determines how to respond based on the rules you have configured.
For example, you could create a Tenant ACL rule that blocks any traffic coming from a specific IP address from accessing your tenant.
Rules
Rules are the building blocks of the Tenant ACL feature. A rule is composed of the following elements:
Signal: The signal is an identifying piece of information that is provided by the incoming request, such as IP address, geolocation, or user agent.
Condition: The condition is the combination of an operator (such as
match
) and a set of values (such as a list of IP addresses).Action: The action is the directive that your rule executes if criteria are met, such as allow, block, or redirect.
Scope: The scope indicates which sets of endpoints that the rule is enforced for, including the Authentication API, Management API, or your entire tenant.
Priority: The priority defines the order in which the rule runs relative to other rules.
Importance of priority
It’s important to determine the correct priority of your rules, because there is strict execution logic you must follow:
Evaluation order: Tenant ACL evaluates rules in numerical order, with smaller numbers executing first. For example, a rule with priority 1 runs before priority 2, and priority 3 runs before priority 4.
Match termination: If a rule’s conditions are met, Tenant ACL performs the rule’s action immediately and does not evaluate subsequent rules and lists.
Monitoring mode exception: If a rule's conditions are met but it’s in monitoring mode, Tenant ACL performs no action and skips to the next rule.
Careful assignment of priorities allows you to create granular access control policies tailored specific to your needs.
Monitoring mode
When a rule is in monitoring mode, Tenant ACL evaluates that rule as it normally would and emits a tenant log event, but does not execute the rule’s action and does not terminate evaluation of subsequent rules and lists.
Monitoring mode is the best way to test how your Tenant ACL rule would affect incoming traffic without interfering with your current Tenant ACL configuration.
You can toggle monitoring mode for a rule by updating the action
object. To learn more, read Configure Rules.
Logging
A log event (acls_summary
) is created every 10 minutes for each Tenant ACL rule with details of how that rule is affecting traffic.
Available fields
The acls_summary
log event type contains the following fields:
Field | Data type | Description | Example |
---|---|---|---|
acl_id |
string | Internal identifier of the rule. | acl_vENikGo5fcJd7FYMLvjKKP |
description |
string | Description of the rule. | Allow traffic that originates from the United States. |
priority |
number | Order in which the rule executes. | 1 |
action |
object | Action the rule executes. | { "allow": true } |
match.successes |
number | Total number of requests the rule successfully matched. | 1 |
total_request_count.successes |
number | Total number of requests the rule successfully evaluated. | 3 |
start_time |
string | Datetime stamp of when the log counting period started. | 2025-03-19T16:11:07.429Z |
end_time |
string | Datetime stamp of when the log counting period ended. | 2025-03-19T16:21:07.429Z |