CORS error when authenticating a webtask

I’m sure I’m missing something simple here, but when I try to authenticate a webtask, and the webtask tries to authorize the user, Auth0 throws a CORS error.

Background
I’m using Lock v11 (embedded login) in a web app (SPA). The user authenticates fine. I access an unauthenticated webtask. I’m able to access the webtask successfully from the app (via fetch). All is good.

Problem:
I want to authenticate my webtask. I follow the instructions here: https://webtask.io/docs/auth. In the webtask, I change Webtask.fromExpress(server) to Webtask.fromExpress(server).auth0(), and recreate the webtask passing the necessary AUTH0_CLIENT_ID, AUTH0_CLIENT_SECRET, AUTH0_DOMAIN, and AUTH0_SECRET_ENCODING. Now I get a CORS error in the fetch call to the webtask (line breaks added for clarity):

Failed to load https://[TENANT].auth0.com/authorize?response_type=code&scope=openid%20name%20email%20email_verified%20&client_id=[CLIENT_ID]&redirect_uri=https%3A%2F%2Fwt-a581b3b0222519b18bd9e0247c343ec9-0.sandbox.auth0-extend.com%2Fmy-service%2Fcallback:

Redirect from ‘https://[TENANT].auth0.com/authorize?response_type=code&scope=openid%20name%20email%20email_verified%20&client_id=[CLIENT_ID]&redirect_uri=https%3A%2F%2Fwt-a581b3b0222519b18bd9e0247c343ec9-0.sandbox.auth0-extend.com%2Fmy-service%2Fcallback’

to ‘https://[TENANT].auth0.com/login?state=kpviH1PxEgsehREqWAkhYAzQOD8gb775&client=[CLIENT_ID]&protocol=oauth2&response_type=code&scope=openid%20name%20email%20email_verified%20&redirect_uri=https%3A%2F%2Fwt-a581b3b0222519b18bd9e0247c343ec9-0.sandbox.auth0-extend.com%2Fmy-service%2Fcallback’ has been blocked by CORS policy: No ‘Access-Control-Allow-Origin’ header is present on the requested resource. Origin ‘null’ is therefore not allowed access. If an opaque response serves your needs, set the request’s mode to ‘no-cors’ to fetch the resource with CORS disabled.

My localhost is correctly set in Allowed Web Origins (otherwise, login wouldn’t work correctly).

What am I missing?

Why would it even be forwarding the webtask api call to the auth0 login URL? Seems odd.

I forgot to pass the token in the Authorization header on the ajax request to the webtask. Duh. Still, forwarding the API call to a login URL seems less than ideal.