We too are a multi-tenancy app with a subdomain per tenant. The list of Allowed Callbacks, Allowed Web Origins and Allowed Logout Urls is getting REEEEeeeeaalll Long. I’m expecting to hit a limit of some kind any day now. We either need to look at programatically creating an app client per domain or migrate away from Auth0. Wildcards for all of these would solve everything.