English for Auth0 Authentication
Learn the English vocabulary for Auth0: tenants, connections, rules and actions, and the terms for discussing an authentication integration clearly.
Auth0 sits between an application and however a user actually proves who they are — a password, a social login, an enterprise SSO provider — and its vocabulary reflects that layered role, which matters when explaining a login bug to someone unfamiliar with the platform.
Key Vocabulary
Tenant — the top-level Auth0 container isolating a set of applications, users, and configuration from any other tenant, roughly analogous to a separate account or workspace. “We’re using separate tenants for staging and production, so a misconfigured rule in staging can never accidentally affect real user logins.”
Connection — the configured identity source a user authenticates against (a database of emails and passwords, a social provider like Google, or an enterprise SAML/OIDC provider), which an application can be set to allow one or several of. “We enabled the Google connection alongside the existing database connection, so users can either sign up with email or log in with an existing Google account.”
Action (post-login action) — a piece of custom code that runs at a specific point in the authentication flow (after login, before token issuance) to add custom logic like enriching a token with extra claims or blocking certain users. “We added a post-login action that checks the user’s email domain and assigns a role claim automatically, instead of every application having to look that up separately.”
Rule (legacy) — the older mechanism for custom authentication-flow logic, functionally similar to actions but being phased out in favor of the newer, more flexible actions framework. “That logic is still implemented as a legacy rule — we’re migrating it to an action, since rules are deprecated and don’t support the newer extensibility points.”
Refresh token rotation — a security setting where each use of a refresh token invalidates it and issues a new one, limiting the damage if a refresh token is ever leaked or intercepted. “We enabled refresh token rotation on the mobile app’s connection — even if a token were somehow intercepted, it becomes useless after the legitimate client’s next refresh.”
Common Phrases
- “Is this a database connection issue, or is the social connection failing?”
- “Is this logic implemented as a post-login action, or is it still a legacy rule?”
- “Which tenant is this happening in — staging or production?”
- “Do we have refresh token rotation enabled for this client, or is that a gap?”
- “Is this claim being added by an action, or is it coming from the identity provider directly?”
Example Sentences
Diagnosing a login failure: “Users can’t log in through the Google connection specifically — the database connection is fine, so this looks like an issue with the social provider’s configuration, not our tenant setup generally.”
Explaining a migration in a PR: “Migrated the domain-based role assignment logic from a legacy rule to a post-login action — same behavior, but on the framework Auth0 is actually continuing to support.”
Discussing a security hardening decision: “We’re turning on refresh token rotation for all mobile clients this quarter — it meaningfully reduces the blast radius if a token ever leaks from a compromised device.”
Professional Tips
- Say tenant when scoping a discussion to staging versus production — a config change made in the wrong tenant is a common and avoidable class of incident.
- Name the specific connection when reporting a login issue — “login is broken” is far less useful than “the SAML connection for our enterprise customer is failing.”
- Prefer actions over legacy rules in new work and flag existing rules for migration — the terminology distinction signals which system a fix should actually target.
- Mention refresh token rotation explicitly in any security review of a client’s auth config — it’s a meaningful mitigation that’s easy to overlook since it doesn’t affect the normal login experience.
Practice Exercise
- Write a sentence explaining what a tenant isolates.
- Describe the difference between a connection and an action.
- Explain what refresh token rotation protects against.