Migrate from Auth0

Migrate from Auth0

Auth0's Management API is a thorough export. We map orgs, roles, identities, and metadata into Authio without leaving anything important behind — and without bringing the password hashes.

What you'll keep, what you'll lose, what you'll gain

  • Keep: Auth0 Organizations (preserved as Authio orgs), roles within an org (admin → owner; manager → admin; rest → member), all federated identities (Google, Microsoft, GitHub, Apple, Facebook, and any SAML/OIDC connection), app_metadata and user_metadata (preserved under Authio user metadata).
  • Lose: Auth0 Database Connection passwords (bcrypt; Authio is passwordless), Auth0 Rules / Actions (these are app logic; Authio has webhooks + the risk engine as Authio-native replacements).
  • Gain: One Authio user across all your orgs (in Auth0, the same user is duplicated per organization if they self-onboard separately). Passkeys. The risk engine with adaptive step-up. The audit stream.

Auth0 migration emails vs Authio passkey enrollment

Auth0's user-import endpoint optionally accepts password hashes, and the “lazy migration” flow prompts users for their old password and validates it against the imported hash. We don't do that. Authio is passwordless: every imported user is flagged migration_pending_email=true. On first sign-in attempt, the hosted UI prompts “Set up sign-in for your account” and runs them through passkey or magic-link enrollment.

For high-touch tenants, send a pre-migration email with a magic link before the cutover so users land in Authio's enrollment flow rather than being prompted on their next normal sign-in.

Roles → memberships

Auth0 RBAC has org-scoped roles. The importer maps:

  • Role admin or owner → Authio owner
  • Role manager or moderator → Authio admin
  • All other roles → Authio member (with the original role name preserved in metadata)

Identities

Auth0's identities[] contains both the Database identity (we drop that — it's the password) and any federated identities (we map them). The mapping:

  • google-oauth2oauth_google
  • windowslive / azureadoauth_microsoft
  • github / apple / facebookoauth_*
  • samlpsaml_<connection>
  • oidcoidc_<connection>

Sessions

Auth0 sessions are dropped. Users re-authenticate via passkey or magic-link on next visit.

Rollback plan

Run Authio alongside Auth0 for a billing cycle. Re-run the importer nightly against a fresh Auth0 export. Flip your app from Auth0's Universal Login to Authio's hosted UI when ready.

Step-by-step: CLI

# 1) Issue an Auth0 Management API token.
# In Auth0: Applications → APIs → Auth0 Management API → API Explorer.

# 2) Trigger a bulk export job.
curl -X POST 'https://YOUR_TENANT.auth0.com/api/v2/jobs/users-exports' \
  -H "authorization: Bearer $AUTH0_MGMT_TOKEN" \
  -H "content-type: application/json" \
  -d '{"format":"json","fields":[
    {"name":"user_id"},{"name":"email"},{"name":"email_verified"},
    {"name":"name"},{"name":"nickname"},{"name":"picture"},
    {"name":"identities"},{"name":"organizations"},
    {"name":"app_metadata"},{"name":"user_metadata"},{"name":"blocked"}
  ]}'

# 3) Poll the job until "status":"completed", then download "location":
# "...amazonaws.com/.../users.json" into auth0.json.

# 4) Dry-run.
authio import auth0 --input ./auth0.json --dry-run | jq '.stats'

# 5) Apply.
authio import auth0 --input ./auth0.json

Step-by-step: dashboard wizard (file upload)

Visit app.authio.com/migrate/auth0 and follow the four-step flow.

Live import (paste an API token)

Skip the export/download dance. Paste an Auth0 Management API token into the wizard and Authio paginates your tenant for you.

  1. Generate a token in Auth0 dashboard → Applications → APIs → Auth0 Management API → API Explorer. Required scopes: read:users, read:user_idp_tokens, read:organizations, read:organization_members, read:organization_member_roles.
  2. In the Authio dashboard wizard, pick the Connect with API token tab. Paste your tenant domain (your-tenant.auth0.com) and the token.
  3. Authio probes your tenant with a single low-cost call and shows estimated user / org counts before you commit.
  4. Click Start import. The wizard polls every 2 seconds and renders live progress bars per record type.
Your token is encrypted at rest with envelope encryption (per-row DEK wrapped by a per-project KEK). The credential row is auto-deleted within 24 hours and marked consumed_at the moment the import job reads it.

Live import via the CLI

authio import auth0 \
  --live-token "$AUTH0_MGMT_TOKEN" \
  --auth0-domain your-tenant.auth0.com \
  --dry-run

Post-migration checklist

  • Send migration emails (or pre-migration emails).
  • Re-create any Auth0 Rules / Actions as Authio webhook handlers or risk-engine rules.
  • Update your application code to point at Authio's hosted UI.
  • If you used Auth0's M2M client-credentials grants, re-issue Authio API keys.
  • Decommission Auth0 after one full billing cycle.