auth0 · nelsonmaia · May 16, 2025 · Jul 31, 2025 · Nov 11, 2025 · Nov 11, 2025
@@ -106,3 +106,5 @@ require (
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
+
+replace github.com/auth0/go-auth0 => ../go-auth0
@@ -15,7 +15,11 @@ func expandTenant(data *schema.ResourceData) *management.Tenant {
 
 	sessionLifetime := data.Get("session_lifetime").(float64)          // Handling separately to preserve default values not honored by `d.GetRawConfig()`.
 	idleSessionLifetime := data.Get("idle_session_lifetime").(float64) // Handling separately to preserve default values not honored by `d.GetRawConfig()`.
+	ephemeralSessionLifetime := data.Get("ephemeral_session_lifetime").(float64) // Handling separately to preserve default values not honored by `d.GetRawConfig()`.
+	idleEphemeralSessionLifetime := data.Get("idle_ephemeral_session_lifetime").(float64) // Handling separately to preserve default values not honored by `d.GetRawConfig()`.
 
+
+
 	tenant := management.Tenant{
 		DefaultAudience:                      value.String(config.GetAttr("default_audience")),
 		DefaultDirectory:                     value.String(config.GetAttr("default_directory")),
@@ -26,6 +30,7 @@ func expandTenant(data *schema.ResourceData) *management.Tenant {
 		SupportURL:                           value.String(config.GetAttr("support_url")),
 		AllowedLogoutURLs:                    value.Strings(config.GetAttr("allowed_logout_urls")),
 		SessionLifetime:                      &sessionLifetime,
+		EphemeralSessionLifetime: 			  &ephemeralSessionLifetime,
 		SandboxVersion:                       value.String(config.GetAttr("sandbox_version")),
 		EnabledLocales:                       value.Strings(config.GetAttr("enabled_locales")),
 		Flags:                                expandTenantFlags(config.GetAttr("flags")),
@@ -45,6 +50,10 @@ func expandTenant(data *schema.ResourceData) *management.Tenant {
 	if data.IsNewResource() || data.HasChange("idle_session_lifetime") {
 		tenant.IdleSessionLifetime = &idleSessionLifetime
 	}
+	if data.IsNewResource() || data.HasChange("idle_ephemeral_session_lifetime") {
+		tenant.IdleEphemeralSessionLifetime = &idleEphemeralSessionLifetime
+	}
+
 
 	return &tenant
 }

@@ -22,6 +22,8 @@ func flattenTenant(data *schema.ResourceData, tenant *management.Tenant) error {
 		data.Set("allowed_logout_urls", tenant.GetAllowedLogoutURLs()),
 		data.Set("session_lifetime", tenant.GetSessionLifetime()),
 		data.Set("idle_session_lifetime", tenant.GetIdleSessionLifetime()),
+		data.Set("ephemeral_session_lifetime", tenant.GetEphemeralSessionLifetime()),
+		data.Set("idle_ephemeral_session_lifetime", tenant.GetIdleEphemeralSessionLifetime()),
 		data.Set("sandbox_version", tenant.GetSandboxVersion()),
 		data.Set("enabled_locales", tenant.GetEnabledLocales()),
 		data.Set("flags", flattenTenantFlags(tenant.GetFlags())),
@@ -45,6 +47,14 @@ func flattenTenant(data *schema.ResourceData, tenant *management.Tenant) error {
 		result = multierror.Append(result, data.Set("session_lifetime", sessionLifetimeDefault))
 	}
 
+	if tenant.GetIdleEphemeralSessionLifetime() == 0 {
+		result = multierror.Append(result, data.Set("idle_ephemeral_session_lifetime", idleSessionLifetimeDefault))
+	}
+	if tenant.GetEphemeralSessionLifetime() == 0 {
+		result = multierror.Append(result, data.Set("ephemeral_session_lifetime", sessionLifetimeDefault))
+	}
+
+
 	if tenant.GetACRValuesSupported() == nil {
 		result = multierror.Append(result,
 			data.Set("disable_acr_values_supported", true),

@@ -101,4 +101,18 @@ func TestFlattenTenant(t *testing.T) {
 		assert.NoError(t, err)
 		assert.Equal(t, mockResourceData.Get("error_page"), []interface{}{})
 	})
+
+	t.Run("it sets ephemeral session values correctly when returned by the API", func(t *testing.T) {
+		tenant := management.Tenant{
+			EphemeralSessionLifetime:     auth0.Float64(1.5),
+			IdleEphemeralSessionLifetime: auth0.Float64(0.25),
+		}
+
+		err := flattenTenant(mockResourceData, &tenant)
+
+		assert.NoError(t, err)
+		assert.Equal(t, 1.5, mockResourceData.Get("ephemeral_session_lifetime"))
+		assert.Equal(t, 0.25, mockResourceData.Get("idle_ephemeral_session_lifetime"))
+	})
+
 }
@@ -24,6 +24,9 @@ import (
 const (
 	idleSessionLifetimeDefault = 72.00
 	sessionLifetimeDefault     = 168.00
+	ephemeralSessionLifetimeDefault     = 1.00 // 1 hour
+	idleEphemeralSessionLifetimeDefault = 1.00 // 1 hour
+
 )
 
 // NewResource will return a new auth0_tenant resource.
@@ -108,6 +111,21 @@ func NewResource() *schema.Resource {
 				ValidateFunc: validation.FloatAtLeast(0.01),
 				Description:  "Number of hours during which a session can be inactive before the user must log in again.",
 			},
+			"ephemeral_session_lifetime": {
+				Type:         schema.TypeFloat,
+				Optional:     true,
+				Default:      ephemeralSessionLifetimeDefault,
+				ValidateFunc: validation.FloatAtLeast(0.0167),
+				Description:  "Number of hours an ephemeral (non-persistent) session will stay valid.",
+			},
+			"idle_ephemeral_session_lifetime": {
+				Type:         schema.TypeFloat,
+				Optional:     true,
+				Default:      idleEphemeralSessionLifetimeDefault,
+				ValidateFunc: validation.FloatAtLeast(0.0167),
+				Description:  "Number of hours for which an ephemeral (non-persistent) session can be inactive before the user must log in again.",
+			},
+
 			"enabled_locales": {
 				Type:     schema.TypeList,
 				Elem:     &schema.Schema{Type: schema.TypeString},

@@ -39,8 +39,10 @@ resource "auth0_tenant" "my_tenant" {
 	default_redirection_uri                       = "https://example.com/login"
 	allowed_logout_urls                           = [ "https://mycompany.org/logoutCallback" ]
 	session_lifetime                              = 720
-	sandbox_version                               = "16"
+	sandbox_version                               = "18"
 	idle_session_lifetime                         = 72
+	ephemeral_session_lifetime      			  = 48
+	idle_ephemeral_session_lifetime 			  = 36
 	enabled_locales                               = ["en", "de", "fr"]
 	disable_acr_values_supported                  = true
 
@@ -176,7 +178,7 @@ resource "auth0_tenant" "my_tenant" {
 	support_url                                   = "https://mycompany.org/support"
 	allowed_logout_urls                           = []
 	session_lifetime                              = 720
-	sandbox_version                               = "16"
+	sandbox_version                               = "18"
 	idle_session_lifetime                         = 72
 	enabled_locales                               = ["de", "fr"]
 
@@ -231,7 +233,7 @@ resource "auth0_tenant" "my_tenant" {
 	support_url                                   = "https://mycompany.org/support"
 	allowed_logout_urls                           = []
 	session_lifetime                              = 720
-	sandbox_version                               = "16"
+	sandbox_version                               = "18"
 	idle_session_lifetime                         = 72
 
 	allow_organization_name_in_authentication_api = true
@@ -336,8 +338,10 @@ func TestAccTenant_Main(t *testing.T) {
 					resource.TestCheckResourceAttr("auth0_tenant.my_tenant", "support_url", "https://mycompany.org/support"),
 					resource.TestCheckResourceAttr("auth0_tenant.my_tenant", "allowed_logout_urls.0", "https://mycompany.org/logoutCallback"),
 					resource.TestCheckResourceAttr("auth0_tenant.my_tenant", "session_lifetime", "720"),
-					resource.TestCheckResourceAttr("auth0_tenant.my_tenant", "sandbox_version", "16"),
+					resource.TestCheckResourceAttr("auth0_tenant.my_tenant", "sandbox_version", "18"),
 					resource.TestCheckResourceAttr("auth0_tenant.my_tenant", "idle_session_lifetime", "72"),
+					resource.TestCheckResourceAttr("auth0_tenant.my_tenant", "ephemeral_session_lifetime", "48"),
+					resource.TestCheckResourceAttr("auth0_tenant.my_tenant", "idle_ephemeral_session_lifetime", "36"),
 					resource.TestCheckResourceAttr("auth0_tenant.my_tenant", "enabled_locales.#", "3"),
 					resource.TestCheckResourceAttr("auth0_tenant.my_tenant", "enabled_locales.0", "en"),
 					resource.TestCheckResourceAttr("auth0_tenant.my_tenant", "enabled_locales.1", "de"),