Help with Action Redirects

tl;dr; A 400 is returned when posting a body containing the state param back to the /continue endpoint on the auth0 tenant.

Hi, looking for some guidance on completing a redirect to the /continue endpoint after a hop to an external domain for a content consent check (UI).

We’re migrating some of this functionality from rules to actions, and have a similar flow working as a rule, but are stuck on getting this to work with the action API. Essentially, the flow is as follows:

User requests UI site
Using an action, on the post-login trigger, user is redirected (based on client) to external sub-domain and asked to consent to… whatever.
User consents, form containing state (and other stuff) as inputs is posted back to {tenant_domain}/continue but the response returned is a 400, with a pretty clear error indicating state wasn’t specified.

Action code

// encode token
const buildSessionToken = (user, domain, redirectSecret, api) => {

    const token = api.redirect.encodeToken({
        secret: redirectSecret,
        expiresInSeconds: 3600,
        payload: {
            state: 'some_state',
    return token;

// redirect user
    const tenantDomain = exports.TENANT_DOMAINS[];
    const redirectSecret = event.secrets['redirectSecret'];
    const token = buildSessionToken(event.user, tenantDomain, redirectSecret, api);
    api.redirect.sendUserTo(redirectToURL, {
        query: {
            session_token: token

// response
status 400
error: Unable to process redirect callback. This is often caused by calling the /continue endpoint without specifying the state parameter.

At this point, the onContinuePostLogin callback has absolutely nothing in it, and is never reached, i.e. not even validating the token that’s sent back. I’ve been following this guide Redirect with Actions (thank you for that), and still not having any luck. Perhaps there’s some peripheral issue I’m not seeing?

Some questions:

  1. Should the “redirect” back to /continue be a POST, as the guide above instructs?
  2. The domain I’m posting back to is the tenant being authenticated against, right?
  3. Is the API expecting the state that I’ve encoded in the JWT to be sent back, or literally the state that’s been appended to the initial redirect, and just sent back to /continue?

hey im also facing the same issue because I have paywall that I implement in my actions and I tried to redirect back to the /continue endpoint with the state in the URL parameters, but I still get redirected to an error page point to localhost:3000/continue, and it says the page isn’t available

my guess is that it expects you to send an encoded JWT token but I’m not sure how to do that and I don’t know if it even works even after I sent the token back

Hey there!

As this topic is related to Actions and Rules & Hooks are being deprecated soon in favor of Actions, I’m excited to let you know about our next Ask me Anything session in the Forum on Thursday, January 18 with the Rules, Hooks and Actions team on Rules & Hooks and why Actions matter! Submit your questions in the thread above and our esteemed product experts will provide written answers on January 18. Find out more about Rules & Hooks and why Actions matter! Can’t wait to see you there!

Learn more here!