Checklist

• I have looked into the README and have not found a suitable solution or answer.
• I have looked into the documentation and have not found a suitable solution or answer.
• I have searched the issues and have not found a suitable solution or answer.
• I have upgraded to the latest version of this tool and the issue still persists.
• I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• I agree to the terms within the Auth0 Code of Conduct.

Description

Description

We are seeing reproducible order-sensitive behaviour when importing clientGrants with Auth0 Deploy CLI.

Import only succeeds when the consolidated YAML list is in the exact same order as the response from GET /api/v2/client-grants.

If the grant entries are semantically identical (same client_id, audience, subject_type, scope) but listed in a different order, import fails or behaves inconsistently.

Actual behaviour

• Import succeeds when clientGrants YAML order matches GET /api/v2/client-grants order.
• Import fails/inconsistent when the same entries are reordered.
• Additional evidence: using the order from exported tenant configuration also fails.

This indicates import success appears tied to live API response ordering, not semantic equivalence of grants.

Impact

• Breaks deterministic IaC workflows for Auth0 tenant management.
• Causes fragile deployments across environments.
• Creates hard-to-diagnose failures, since order dependency is non-obvious and undocumented.
• Requires manual ordering workarounds tied to live API output.

Workaround

Maintain clientGrants in the exact order returned by GET /api/v2/client-grants before importing.

Checklist verification

• README reviewed: no suitable answer found.
• Documentation reviewed: no documented requirement for order-sensitive clientGrants import.
• Existing GitHub issues searched: related clientGrants issues exist, but no clear match for this exact behaviour.
• Latest version verified: issue persists on latest available version (8.29.2).
• Auth0 Community searched: no suitable answer found for this exact ordering requirement.

Environment details (sanitised)

Environment 1: Local (macOS)

• Host OS: darwin 25.3.0 (macOS)
• Shell: zsh
• Node.js: v20.20.1
• npm: 10.8.2
• Auth0 Deploy CLI: 8.29.2
• Auth0 tenant under test: [REDACTED_TENANT_DOMAIN]

Environment 2: GitHub Actions (Hosted Runner)

• Workflow job: Export [REDACTED_ENVIRONMENT]
• Repository: [REDACTED_REPOSITORY]
• Branch: [REDACTED_BRANCH]
• Runner version: 2.332.0
• Runner image: ubuntu-24.04
• Image version: 20260309.50.1
• OS: Ubuntu 24.04.3 LTS
• Region: westus3
• Git: 2.53.0
• Node.js: v20.20.1
• npm: 10.8.2
• yarn: 1.22.22
• Actions used:
  • actions/checkout@v5
  • actions/setup-node@v5

Sanitisation notes

• Customer-specific config paths/names and tenant-identifying details were redacted.

Expectation

Expected behaviour

clientGrants import should be order-independent. If grant objects are identical, import results should be identical regardless of YAML list order.

Reproduction

Reproduction steps

1. Fetch grants from tenant using GET /api/v2/client-grants.
2. Build a consolidated YAML containing all grants (client_id, audience, subject_type, scope).
3. Import via Deploy CLI.
4. Reorder YAML entries (no data changes) and re-import.
5. Observe failure/inconsistent behaviour.
6. Reorder the same entries to exactly match GET /api/v2/client-grants order and re-import.
7. Observe success.
8. Use the order from exported tenant configuration and import again.
9. Observe failure/inconsistent behaviour.

Deploy CLI version

8.29.2

Node version

v20.20.1