Deactivate or Block Users After Several Days of Inactivity in Auth0

User Management
May 7, 2026
Overview

This article presents a workaround solution for deactivating or blocking users after several days of inactivity in Auth0.

Applies To
  • Block Users
  • Deactivate Users
  • Inactive Users
  • Auth0
Solution

Auth0 does not support this feature out of the box.

Workaround: Custom Application with Management API

As a workaround, an application can be built that runs daily to:

  1. Export users using the Export Users Management API.
  2. Filter the exported users by an old last_login field.
  3. Block the identified inactive users using the Update a User Management API with the following payload: 
    {
  "blocked": true
}

Important Consideration: last_login Limitations

The last_login field isn't updated during silent logins or refresh token calls.

These events can keep the user session active in an application without updating last_login, potentially causing active users to be incorrectly flagged as inactive. A more accurate solution would require storing the last activity time in the user's app_metadata via a post-login Action.

Sample Post-Login Action

The following Action can serve as a starting point. Since updating app_metadata consumes Management API rate limits. It is recommended to avoid updating the activity field on every silent login attempt, as this can occur multiple times per day.

exports.onExecutePostLogin = async (event, api) => {
  const now = new Date();
  const lastActiveStr = event.user.app_metadata?.last_active;

  // OPTIMIZATION: Only update the metadata if it has been more than 24 hours.
  // Single-Page Applications (SPAs) often trigger Silent Auth multiple times a day.
  // Throttling writes prevents unnecessary use of the management API.
  if (lastActiveStr) {
    const lastActive = new Date(lastActiveStr);
    const hoursSinceLastActive = (now - lastActive) / (1000 * 60 * 60);

    if (hoursSinceLastActive < 24) {
      return; // Exit early; they are already marked as active for the last 24 hours
    }
  }

  // Set the current timestamp in ISO 8601 format (e.g., "2026-05-01T20:43:06.000Z")
  api.user.setAppMetadata("last_active", now.toISOString());
};

Export API Payload

The export API payload should include app_metadata, user_id, and blocked status. For example:

{
  "format": "json",
  "fields": [
    {"name": "user_id"},
    {"name": "blocked"},
    {"name": "app_metadata.last_active"}
  ]
}

Alternative Approach

Alternatively, user activity can be stored in the application's own database. When a user is determined to be inactive, they can be blocked in Auth0 using the Update a User Management API. 

This approach does not rely on a custom Action and may be a simpler alternative in many cases, especially if user activity is already monitored on the application side.

Recommended content

No recommended content found...
Need more help? Visit the Community
Visit the Auth0 Community