auth0
diff --git a/‎.github/actions/rl-scanner/action.yml‎
Lines changed: 0 additions & 72 deletions b/‎.github/actions/rl-scanner/action.yml‎
Lines changed: 0 additions & 72 deletions
diff --git a/‎.github/workflows/release.yml‎
Lines changed: 37 additions & 11 deletions b/‎.github/workflows/release.yml‎
Lines changed: 37 additions & 11 deletions
diff --git a/‎.github/workflows/rl-secure.yml‎
Lines changed: 0 additions & 71 deletions b/‎.github/workflows/rl-secure.yml‎
Lines changed: 0 additions & 71 deletions
diff --git a/‎.version‎
Lines changed: 1 addition & 1 deletion b/‎.version‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎A0Auth0.podspec‎
Lines changed: 1 addition & 1 deletion b/‎A0Auth0.podspec‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎CHANGELOG.md‎
Lines changed: 14 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎EXAMPLES.md‎
Lines changed: 62 additions & 0 deletions b/‎EXAMPLES.md‎
Lines changed: 62 additions & 0 deletions
@@ -17,17 +17,43 @@ permissions:
 
 jobs:
   rl-scanner:
-    uses: ./.github/workflows/rl-secure.yml
-    with:
-      node-version: '22'
-      artifact-name: 'react-native-auth0.tgz'
-    secrets:
-      RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }}
-      RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }}
-      SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }}
-      PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }}
-      PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }}
-      PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }}
+    if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/'))
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - name: Setup
+        uses: ./.github/actions/setup
+
+      - name: Build package
+        run: yarn build
+
+      - name: Create tgz build artifact
+        run: |
+          tar -czvf react-native-auth0.tgz *
+
+      - name: Get version
+        id: get_version
+        run: |
+          version=$(head -1 .version)
+          echo "version=$version" >> $GITHUB_OUTPUT
+
+      - name: Run RL Scanner
+        uses: auth0/devsecops-tooling/.github/actions/rl-scan@main
+        with:
+          artifact-name: 'react-native-auth0'
+          artifact-path: '${{ github.workspace }}/react-native-auth0.tgz'
+          version: ${{ steps.get_version.outputs.version }}
+          RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }}
+          RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }}
+          SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }}
+          SIGNAL_HANDLER_DOMAIN: ${{ secrets.SIGNAL_HANDLER_DOMAIN }}
+          PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }}
+          PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }}
+          PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }}
+          PRODSEC_PYTHON_TOOLS_REPO: ${{ secrets.PRODSEC_PYTHON_TOOLS_REPO }}
 
   release:
     uses: ./.github/workflows/npm-release.yml
 
@@ -1 +1 @@
-v5.5.1
+v5.6.0
@@ -16,7 +16,7 @@ Pod::Spec.new do |s|
   s.source_files = 'ios/**/*.{h,m,mm,swift}'
   s.requires_arc = true
 
-  s.dependency 'Auth0', '2.18.0'
+  s.dependency 'Auth0', '2.19.0'
 
   install_modules_dependencies(s)
 end
@@ -1,5 +1,19 @@
 # Change Log
 
+## [5.6.0](https://github.com/auth0/react-native-auth0/tree/v5.6.0) (2026-05-14)
+
+[Full Changelog](https://github.com/auth0/react-native-auth0/compare/v5.5.1...v5.6.0)
+
+**Added**
+
+- feat: surface DPoP credential state errors from native SDKs [\#1529](https://github.com/auth0/react-native-auth0/pull/1529) ([@subhankarmaiti](https://github.com/subhankarmaiti))
+- feat(android): expose allowedBrowserPackages option for web authentication [\#1513](https://github.com/auth0/react-native-auth0/pull/1513) ([@mrbrentkelly](https://github.com/mrbrentkelly))
+
+**Fixed**
+
+- fix: apply deepCamelCase to MFA challenge response [\#1510](https://github.com/auth0/react-native-auth0/pull/1510) ([@AkhtarZaman7](https://github.com/AkhtarZaman7))
+- docs: add Expo callback URL format to README [\#1522](https://github.com/auth0/react-native-auth0/pull/1522) ([@subhankarmaiti](https://github.com/subhankarmaiti))
+
 ## [v5.5.1](https://github.com/auth0/react-native-auth0/tree/v5.5.1) (2026-04-23)
 
 [Full Changelog](https://github.com/auth0/react-native-auth0/compare/v5.5.0...v5.5.1)
 
@@ -67,6 +67,7 @@
     - [Android](#android)
     - [iOS](#ios)
     - [Expo](#expo)
+- [Allowed Browsers (Android)](#allowed-browsers-android)
 
 ## Authentication API
 
@@ -1660,6 +1661,67 @@ If you want to support multiple domains, you would have to pass an array of obje
 
 You can skip sending the `customScheme` property if you do not want to customize it.
 
+## Allowed Browsers (Android)
+
+On Android, some browsers do not correctly handle App Link redirects. For example, Firefox renders the callback URL as a web page instead of handing the redirect back to your app, causing the authentication flow to fail silently.
+
+You can restrict which browsers are allowed to handle the web authentication flow by passing `allowedBrowserPackages` in the options object. When set, only browsers whose package names appear in the list will be used.
+
+**Behaviour:**
+
+- If the user's default browser is in the list, it is used.
+- If the user's default browser is not in the list but another allowed browser is installed, that browser is used instead.
+- If no allowed browser is installed, an `a0.browser_not_available` error is returned.
+
+> **Platform Support:** Android only. This option is ignored on iOS.
+
+### Using with Hooks
+
+```typescript
+import { useAuth0 } from 'react-native-auth0';
+
+const { authorize } = useAuth0();
+
+await authorize(
+  { scope: 'openid profile email' },
+  {
+    allowedBrowserPackages: [
+      'com.android.chrome',
+      'com.chrome.beta',
+      'com.microsoft.emmx', // Edge
+      'com.brave.browser',
+      'com.sec.android.app.sbrowser', // Samsung Internet
+    ],
+  }
+);
+```
+
+### Using with Auth0 Class
+
+```typescript
+import Auth0 from 'react-native-auth0';
+
+const auth0 = new Auth0({
+  domain: 'YOUR_AUTH0_DOMAIN',
+  clientId: 'YOUR_AUTH0_CLIENT_ID',
+});
+
+await auth0.webAuth.authorize(
+  { scope: 'openid profile email' },
+  {
+    allowedBrowserPackages: [
+      'com.android.chrome',
+      'com.chrome.beta',
+      'com.microsoft.emmx', // Edge
+      'com.brave.browser',
+      'com.sec.android.app.sbrowser', // Samsung Internet
+    ],
+  }
+);
+```
+
+The same `allowedBrowserPackages` option is also accepted by `clearSession` to restrict which browser handles the logout flow.
+
 ## DPoP (Demonstrating Proof-of-Possession)
 
 [DPoP](https://datatracker.ietf.org/doc/html/rfc9449) (Demonstrating Proof-of-Possession) is an OAuth 2.0 extension that cryptographically binds access and refresh tokens to a client-specific key pair. This prevents token theft and replay attacks by ensuring that even if a token is intercepted, it cannot be used from a different device.