During network traffic monitoring, a POST request to https://{{name-tenant-domain}}/u/login/password may be observed following a successful Auth0 login. When inspecting the payload of this specific API call, the logging user's input—specifically their username (or phone number) and password—is clearly visible in plain text.

It is common to question whether this behavior is expected, if it presents a security risk, and whether the payload can be masked.

• Universal Login

This is entirely expected behavior. The POST request to the /u/login/password endpoint is the actual mechanism that the browser uses to transmit the user's inputted credentials to the Auth0 servers for authentication. Direct client-side inspection via the browser enables developer tools to capture and display raw, unmasked data.

No additional action is required to mask the payload, as this behavior is fundamental to how password-based authentication works over the web.

• It is a one-way transmission: The browser must send the exact credentials to Auth0 so the server can verify them against the database.
• The server does not echo it back: Once the Auth0 server receives and processes the request, that sensitive information is not returned to the user or browser in the server's response.
• It is secure in transit: Assuming the application is properly using HTTPS, this payload is encrypted in transit between the user's browser and Auth0, even though it appears as plain text in the local browser's network tab.