CORS error when authenticating a webtask

I’m sure I’m missing something simple here, but when I try to authenticate a webtask, and the webtask tries to authorize the user, Auth0 throws a CORS error.

I’m using Lock v11 (embedded login) in a web app (SPA). The user authenticates fine. I access an unauthenticated webtask. I’m able to access the webtask successfully from the app (via fetch). All is good.

I want to authenticate my webtask. I follow the instructions here: In the webtask, I change Webtask.fromExpress(server) to Webtask.fromExpress(server).auth0(), and recreate the webtask passing the necessary AUTH0_CLIENT_ID, AUTH0_CLIENT_SECRET, AUTH0_DOMAIN, and AUTH0_SECRET_ENCODING. Now I get a CORS error in the fetch call to the webtask (line breaks added for clarity):

Failed to load https://[TENANT][CLIENT_ID]&

Redirect from ‘https://[TENANT][CLIENT_ID]&’

to ‘https://[TENANT][CLIENT_ID]&protocol=oauth2&response_type=code&scope=openid%20name%20email%20email_verified%20&’ has been blocked by CORS policy: No ‘Access-Control-Allow-Origin’ header is present on the requested resource. Origin ‘null’ is therefore not allowed access. If an opaque response serves your needs, set the request’s mode to ‘no-cors’ to fetch the resource with CORS disabled.

My localhost is correctly set in Allowed Web Origins (otherwise, login wouldn’t work correctly).

What am I missing?

Why would it even be forwarding the webtask api call to the auth0 login URL? Seems odd.

I forgot to pass the token in the Authorization header on the ajax request to the webtask. Duh. Still, forwarding the API call to a login URL seems less than ideal.