Authentication API random "invalid_state" on mobile

we have the unfortunate case of some customers being unable to login from mobile (iOS, swift Auth0 SDK). It seems to be limited to some users/iPhones/iOS version combinations, but we are still investigating.

We’ve traced the problem to receiving this answer:

    "statusCode": 403,
    "description": "Invalid state",
    "name": "AnomalyDetected",
    "code": "access_denied"

From this authentication API endpoint:

While this is reported from Anomaly Detection feature, it is not really a problem with blocked user or IP. In all “normal” anomaly detections cases, a specific error is reported and/or the user appears as blocked. This is not the case, also the user can login from Web.

We’ve not been able to receive any help from the SDK community on github and are investigating the possible cases for the server returning this unexpected error, in particular “Invalid state” description is not documented anywhere.

Is it somehow related to the “state” parameter in the REST request? If so, can you please detail the expected flow of this value in Auth0’s server? We know that it can be any random value on the client side and should be checked on the client at the end of the client flow part, but here is Auth0’s server returning an error, so it somehow makes some internal checks on the value and it fails. Any details on this could help us solve the problems.


Hey @bragma!

We’ve started digging into that as I’ve mentioned in the other post:

and will update you with more info as soon as we figure out this! Thanks for patience!

@konrad.sopala thanks for spending time on this and sorry for the cross posting. Things were not moving and I was trying to understand as much as possible on our part on the state parameter flow.

Sure no problem! We’re here for you! Thanks for providing such wide clarification context. In the meantime so as not to multiply topics in the community please go to this one: