The event.session property, in the context of post-login actions, no longer presents itself as an empty object when session information is unavailable for the login flow that executes the action. Instead, the property returns undefined whenever session information is not applicable. This change means that a session identifier (ID) will still not be available in such flows, as the session object itself will be unavailable, rather than an empty object with an undefined ID.

Examples of login flows for which the session is not applicable are the resource owner password credentials grant and the refresh token grant.

The post-login action trigger documentation has always listed the event.session property as optional, indicating that it would be unavailable whenever the trigger gets executed as part of a login flow for which session information is unavailable. Additionally, for post-login actions that preserve the default JSDoc comments, the embedded code editor in the Dashboard provides explicit warnings when accessing an event.session property without first ensuring that the session object is available.

• Actions
• Sessions

The property returning undefined instead of an empty object is an expected outcome as part of a planned change to address an implementation issue that caused the service to return an empty object instead of undefined for a subset of login flows that should not have session information.

Auth0 addressed the issue in September 2024 for tenants who either did not use the event.session object, or for whom data analysis showed that sufficient logic checks were already in place before using the object. Tenants potentially impacted by the change received multiple email notifications throughout calendar year 2025; enforcement of the change for those tenants began in early November 2025.

Post-login actions accessing properties of the session object (event.session.<property>) must first ensure that the session object is available.

The following examples illustrate some approaches for safely accessing session object properties.

Example 1:

if (event.session) {
    // logic that accesses session properties
}

Example 2:

// optional chaining operator short circuits 
// expression evaluation to undefined instead 
// of throwing an error if a session is unavailable
console.log(event.session?.id);