Code Exchange removes query parameters from redirect URL

Authentication works fine, but it seems that the query parameters are removed from the redirect URL during login. Once logged in we can deep-link without issue.

For example:

  1. When unauthenticated, a user navigates to
  2. The site recognizes that the user is unauthenticated and redirects to Auth0.
  3. User signs in.
  4. Auth0 redirects to site with code parameter. Along with this request, Auth0 sets a cookie a0.spajs.txs.[base64 text] that contains a JSON blob with two key pieces of information:
    • redirect_uri which is just the scheme (https) and host (
    • targetUrl which is the path without any query parameters.
  5. The site exchanges the code for a JWT.
  6. (I’m guessing) The Auth0 package assembles the redirect_uri and targetUrl from the cookie and redirects the user there, thereby removing the query parameters from the original request.

For further deep-link requests, the site doesn’t have to perform the code exchange anymore, so the navigation works fine.


You are correct that Auth0 will not pass back parameters to the /callback of your application during a code exchange.

Have you considered handling the deep linking with the state parameter?

When you send a state to the /authorize endpoint, you’ll get that state back when auth0 redirects to your /callback endpoint.



We are using the state, but we didn’t consider that query params would be removed.

1 Like

Let us know if that approach works for you!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.