Changes
Note: As this is a major release it is recommended to understand the Breaking Changes section before upgrading. The UPGRADING.md contains details on version upgrade.
⚠️ Breaking Changes
ConnectionAttributeIdentifierremoved (no compatibility alias); split into three types. Theidentifierfield on each attribute now points to its own type:EmailAttribute.identifier:EmailAttributeIdentifier—{active?, default_method?: DefaultMethodEmailIdentifierEnum}(same shape as the old type; use this as the drop-in replacement).PhoneAttribute.identifier:PhoneAttributeIdentifier—{active?, default_method?: DefaultMethodPhoneNumberIdentifierEnum}.UsernameAttribute.identifier:UsernameAttributeIdentifier—{active?}(nodefault_method).
PhoneProviderProtectionBackoffStrategyEnum:Literal["exponential", "none"]→Literal["exponential", "default"]. Replace the value"none"with"default".ListRolesOffsetPaginatedResponseContent.start/.limit/.total:Optional[float] = None→ requiredfloat. Deserializing a role-list response missing any of these now raisespydantic.ValidationError.- Federated Connections Tokensets removed — the
users.federated_connections_tokensetsclient and itslist/deletemethods are removed, along with theFederatedConnectionTokenSetandConnectionFederatedConnectionsAccessTokenstypes. federated_connections_access_tokensfield removed — this optional field is no longer present onConnectionOptionsAzureAd,ConnectionOptionsCommonOidc,ConnectionOptionsGoogleApps,ConnectionPropertiesOptions, andUpdateConnectionOptions.- OAuth scopes removed —
read:federated_connections_tokensanddelete:federated_connections_tokensare no longer valid values ofOauthScope. ClientSessionTransferDelegationDeviceBindingEnumnarrowed — the"asn"value is removed; the enum now only accepts"ip".
New Endpoints
organizations.roles.members.list(id=..., role_id=...)(sync + async) →GET /api/v2/organizations/{id}/roles/{role_id}/members. New sub-clientsorganizations.rolesandorganizations.roles.members; response typeListOrganizationRoleMembersResponseContent, item typeRoleMember.
Type Changes/Features
- Organizations:
third_party_client_access: Optional[OrganizationThirdPartyClientAccessEnum](Literal["block", "allow"]) oncreate()/update()and all organization response types. - Organizations: new types
ListOrganizationRoleMembersResponseContentandRoleMember(returned by the role-members endpoint above). - Grants: new
UserGrant.organization_id: Optional[str](read-only), viaGET /grants. - Connections:
discovery_url/oidc_metadataextended tosamlpconnections (previously OIDC-only), via newConnectionsDiscoveryUrl/ConnectionsOidcMetadataonConnectionPropertiesOptionsandUpdateConnectionOptions. - Event Streams: new event-type values
connection.created,connection.deleted,connection.updatedonEventStreamEventTypeEnum,EventStreamDeliveryEventTypeEnum,EventStreamSubscribeEventsEventTypeEnum,EventStreamTestEventTypeEnum; newEventStreamCloudEventConnection{Created,Deleted,Updated}*payload types; newEventStreamSubscribeEventsResponseContent. - Token Vault: new
grants: Optional[List[TokenVaultPrivilegedAccessGrant]]on the privileged-access credential/public-key types.TokenVaultPrivilegedAccessGrant:{connection: str, scopes: List[str]}. - New error body types:
NotFoundErrorBody/NotFoundErrorBodyError,TooManyRequestsErrorBody/TooManyRequestsErrorBodyError. - CloudEvent
specversion:str→EventStreamCloudEventSpecVersionEnum(Literal["1.0"]+Anyfallback) across group/org/user CloudEvent types. NetworkAclMatch— new optionalauth0_managed: Optional[List[str]]field (serialized asauth0_managed), available on both thematchandnot_matchrule blocks. This lets network ACL rules reference Auth0-managed lists when matching or excluding traffic.