CORS error with Organization subdomain placeholders

Problem statement

We received the below error when calling the /oauth/token endpoint.

Auth0 is not setting the Access-Control-Allow-Origin header on the response

Steps to replicate

  • Create an Organization.
  • Set allowed callback of an Application that is enabled for that Organization to include a placeholder (e.g. http://{organization_name}.localhost:3000) or wildcard (e.g. http://*.com:3000) on a subdomain.
  • Log in through a flow such as Auth Code + PKCE (SPA) and notice a CORS error upon calling the /oauth/token.


The hostname requires 3 “labels”, so please use http://{organization_name}.localhost.localdomain:3000 instead.