Leaked Auth0 Management API token — full tenant compromise

Auth0 Management API tokens grant broad control over the tenant including user, role, and connection management. Leakage enables full account takeover across every user in the tenant.

The next 60 seconds matter

The attacker hits Auth0's /api/v2/ endpoints to create admin users, reset passwords, modify rules/actions to intercept future logins, and exfiltrate user PII including emails and metadata.

  • Dump every user record
  • Reset password for any user and take over their account
  • Inject a post-login Action that exfiltrates future tokens
  • Create a new admin user for persistence

Rotation playbook

  1. Auth0 Dashboard → Applications → (M2M app that issued the token) → Rotate Client Secret
  2. Review Auth0 Logs for token use in the past 24 hours — specifically `s: m2m` events
  3. Audit Rules + Actions for unexpected code
  4. Force password reset on all users if compromise is probable

Prevent the next one

  • Never embed a Management API token long-lived; request them on demand via M2M client credentials
  • Scope M2M clients to the minimum required permissions
  • Use Auth0 Logs + Auth0 Guardian for anomalous M2M activity
Pattern we scan for
JWT starting with eyJ... (Management API aud claim)