Are callback URLs used only AFTER the user authenticates?

I’ve been reading about callback URLs, and am wondering when and how exactly they’re used. I’ve read that a callback URL is used to redirect a user back to their app, with authorization credentials included in that URL. What I want to know is:

  1. In the case of Universal Login, is it the case that a callback URL is never used until after the user enters their credentials and clicks ‘sign in’, at which point the Auth0 authorization server takes the callback URL (which corresponds to the app itself), adds the access token (or whatever) to the URL, and then redirects the app back to that URL?

  2. If (1) is true, then I’m confused about the errors I’m getting. When I call the auth0.webAuth.authorize() method, it gives me a “Callback URL mismatch” error before even loading the Universal Login screen where the user would enter their credentials.

Can anyone offer some insight on any of this?

Take a look at the docs for the underlying /authorize call:

You will see that the callback URL is a parameter to this call (it is called redirect URI).
The authorize call verifies this URL before doing anything - there is no reason to go further if the callback URL is invalid.


Hi John, thanks for your reply. The reason I didn’t add redirect_uri to my function call is that in this Quickstart:
it doesn’t include it. When I do add the same callback URL as the value for redirect_uri, when I call authorize() in my app, an iOS popup appears saying "open this page in ". When I click “Open” on this popup, it appears to open another instance of my app, which hangs on the splash screen. Is redirect_uri the URI that my app redirects to in order to authorize the user? If so, should it be something like ‘’?

…Also, I see from the documentation you linked that redirect_uri is ‘required’. Is the quickstart I was following out of date? If you could give me some guidance on what the difference is between the documentation you linked and the Quickstart, I’d appreciate it.