The end-of-life date for the field fromSandbox in Authentication API error responses was December 9, 2025. After this date, the deprecated behavior will progressively cease to be available. The process to remove access to the deprecated behavior has the following phases:

• January 7, 2026 - Remove access for tenants tagged as development or staging tenants. The transition occurs according to the tenant's environment tag when changes roll out for each environment. Therefore, changing a development tenant to production after the rollout phase is complete will not reinstate the deprecated behavior.
• February 23, 2026 - Remove access for outstanding tenants, including production tenants.

The end-of-life rollout ended on April 30, 2026, and as of that date, all tenants had transitioned to the non-deprecated behavior. The corresponding migration toggle is no longer available in the Auth0 Dashboard (Tenant Settings > Advanced) as the updated behavior is now effective and permanent for all Auth0 tenants.

With the updated behavior, the fromSandbox field will no longer be present in error responses returned by the /dbconnections/signup and /dbconnections/change_password Authentication API endpoints, when performing requests targeting custom database connections.

Client systems performing requests to the above endpoints, either directly or via Auth0 SDKs, may experience unexpected outcomes during error handling processing if they reference or expect the presence of the fromSandbox field in error responses. Potential impact extends to tenants still using Classic Login, as the Auth0.js SDK used in Classic Login customizations would expose the fromSandbox field as part of the error object returned by the SDK to the client code.

Example of the format for a historical error response containing the no longer supported fromSandbox field:

{
  "message": "Lorem ipsum dolor sit amet",
  "fromSandbox": true,
  "name": "Error",
  "statusCode": 400
}

• Authentication API
• Custom Database Connections
• End of Life (EOL)

The service removed the field from the respective Authentication API error responses as part of a calendar year 2026 scheduled change, because its presence in error responses could, in specific scenarios, allow the determination of information about the internal state of the system and user accounts. For example, it could enable determining whether a specific user account exists in the system. By removing the field, the service avoids disclosing unnecessary information, which improves the system's overall security.

On June 9, 2025, Auth0 announced the deprecation of the previous service behavior. The information provided in the original announcement is available in the respective Dashboard and Support Center notification.

Update error handling logic referencing or expecting the presence of the fromSandbox field in the error response to be compatible with error responses omitting this field.