CORS Errors while Redirecting with Actions

Problem statement

While creating an Action that redirects users to an external web page, after the redirection, there is a need to send some data back to the Action on the front channel.

To avoid replay attacks, the token should be sent back to Auth0 by making a POST request to the /continue endpoint. The tokenParameterName option in the code allows you to specify the name of the field that contains your token.

There is a Cross Origin error when sending data back to actions.


CORS errors appear in the DevTools Network Logs when hitting the /continue endpoint.


Making a POST request with AJAX, will cause a CORS error. This is the unsupported use case.


Making a redirect or page transaction happen is necessary, letting the value in the URL bar change.

  • Make a GET request (not an AJAX but window.location = """ or <a href="">;)
    • Don’t expose your signing secret to the front-end codes. Sign the JWT token on the backend.
  • Or use Form POST