Auth0 Home Blog Docs

Auth0 adding personally identifiable information to redirect URL



We are using the Auth0 hosted password reset page and after a successfult password reset the user is being redirected back to our sign-in page:

See: Dashboard -> Emails -> Templates -> Redirect To

The redirect url generated by Auth0 included PII (personally identifiable information) in the form of the users email:

This information ends up in Google Analytics and is a violation of the TOS:

It also just a bad idea to include a user’s email in a plain URL.

How can we prevent the redirect URL from containing the user’s email?


Hello Justin,

Are you using the change password widget? I assume so, as this is the default option for the hosted change password page. I have confirmed this behavior and I agree this is not ideal.

I went ahead and captured an enhancement request to allow you to remove this PII from the Redirect To url. I will add this to the product backlog and plan to address this in the future, but I cannot say exactly when.

For now, the workaround would be to remove the Redirect To value so that the user stays on the page after the password change operation.




Thanks Justin. Looking forward to when this lands in the product. I assume the other option would be to use the API to implement the reset functionality?