The end-of-life date for the legacy and non-customizable unblock account flow, available for brute-force protection via email notification, was December 11, 2025. As a result, the deprecated behavior will progressively cease to be available. The process to remove access to the deprecated behavior has the following phases:

• February 2, 2026 - Remove access for tenants tagged as development or staging tenants. The transition occurs according to the tenant's environment tag when changes roll out for each environment. Therefore, changing a development tenant to production after the rollout phase is complete will not reinstate the deprecated behavior.
• April 13, 2026 - Remove access for outstanding tenants, including production tenants.

The dates above mark the day the rollout for a particular phase starts; each phase may take several weeks to complete, so different tenants in the same phase may not observe the change simultaneously.

This article will receive updates as information related to the complete timeline for enforcing the new behavior becomes available.

Once the deprecated behavior is unavailable in a given tenant, the unblock URL included in user email notifications related to the blocked account email template will trigger the revised unblock flow that supports customization and localization through Universal Login and improves the experience for situations where email security scanners process the unblock email. The flow change is noticeable in the URL itself, as the legacy flow used the path /lo/unblock while the updated flow uses the path /u/brute-force-protection-unblock.

The updated URL will no longer cause the user block to be immediately removed as part of an HTTP (GET) request to that URL. Instead, the response content returns a form that will auto-submit itself in JavaScript-enabled user agents. If the form cannot be automatically submitted, the end-user can manually submit it and complete the unblock process.

In addition to the above, the new unblock flow behaves similarly to other Universal Login prompts, unlocking the same customization capabilities. For example, it will automatically use any Universal Login theme customizations and also allow for customization of text elements.

• Brute-force Protection
• End of Life (EOL)

The service updated the behavior for unblock flow triggered from blocked account email notifications as part of a calendar year 2025 scheduled change, because the previous approach had compatibility issues with email security scanners. By updating the flow to allow customization through Universal Login and requiring a form submission as part of removing the end-user block, we ensure an improved and more secure experience.

On June 11, 2025, Auth0 announced the deprecation of the previous service behavior. The information provided in the original announcement is available in the respective Dashboard and Support Center notification.

The transition from the legacy unblock flow to the updated flow is unlikely to cause any functional impact, as the outcome of the flow remains unchanged. In particular, any existing brute-force protection block is still removed as part of the user navigating to the unblock URL.

However, the user experience within the interface screens shown when accessing the unblock URL will differ, so it is essential to verify that existing Universal Login customizations behave as expected when the service applies them to the new unblock screens.