Tenant Access Control List

Tenant Access Control List (ACL) allows you to manage traffic to your Auth0 services with configurable rules. It helps you protect your tenant and conserve your rate limits against potential threats, such as denial-of-service (DoS) attacks, and ensures that only legitimate users access your applications. 

How it works

When your tenant or Management API receives a request, Tenant ACL processes that request and then determines how to respond based on the rules you have configured.

For example, you could create a Tenant ACL rule that blocks any traffic coming from a specific IP address from accessing your tenant.

Rules

Rules are the building blocks of the Tenant ACL feature. A rule is composed of the following elements:

  • Signal: The signal is an identifying piece of information that is provided by the incoming request, such as IP address, geolocation, or user agent.

  • Condition: The condition is the combination of an operator (such as match) and a set of values (such as a list of IP addresses).

  • Action: The action is the directive that your rule executes if criteria are met, such as allow, block, or redirect.

  • Scope: The scope indicates which sets of endpoints that the rule is enforced for, including the Authentication API, Management API, or your entire tenant.

  • Priority: The priority defines the order in which the rule runs relative to other rules.

Importance of priority

It’s important to determine the correct priority of your rules, because there is strict execution logic you must follow:

  • Evaluation order: Tenant ACL evaluates rules in numerical order, with smaller numbers executing first. For example, a rule with priority 1 runs before priority 2, and priority 3 runs before priority 4.

  • Match termination: If a rule’s conditions are met, Tenant ACL performs the rule’s action immediately and does not evaluate subsequent rules and lists.​

  • Monitoring mode exception: If a rule's conditions are met but it’s in monitoring mode, Tenant ACL performs no action and skips to the next rule.

Careful assignment of priorities allows you to create granular access control policies tailored specific to your needs.

Monitoring mode

When a rule is in monitoring mode, Tenant ACL evaluates that rule as it normally would and emits a tenant log event, but does not execute the rule’s action and does not terminate evaluation of subsequent rules and lists.

Monitoring mode is the best way to test how your Tenant ACL rule would affect incoming traffic without interfering with your current Tenant ACL configuration.

You can toggle monitoring mode for a rule by updating the action object. To learn more, read Configure Rules.

Logging

A log event (acls_summary) is created every 10 minutes for each Tenant ACL rule with details of how that rule is affecting traffic.

Available fields

The acls_summary log event type contains the following fields:

Field Data type Description Example
acl_id string Internal identifier of the rule. acl_vENikGo5fcJd7FYMLvjKKP
description string Description of the rule. Allow traffic that originates from the United States.
priority number Order in which the rule executes. 1
action object Action the rule executes. { "allow": true }
match.successes number Total number of requests the rule successfully matched. 1
total_request_count.successes number Total number of requests the rule successfully evaluated. 3
start_time string Datetime stamp of when the log counting period started. 2025-03-19T16:11:07.429Z
end_time string Datetime stamp of when the log counting period ended. 2025-03-19T16:21:07.429Z

Learn more