Help with Action Redirects

tl;dr; A 400 is returned when posting a body containing the state param back to the /continue endpoint on the auth0 tenant.

Hi, looking for some guidance on completing a redirect to the /continue endpoint after a hop to an external domain for a content consent check (UI).

We’re migrating some of this functionality from rules to actions, and have a similar flow working as a rule, but are stuck on getting this to work with the action API. Essentially, the flow is as follows:

User requests UI site
Using an action, on the post-login trigger, user is redirected (based on client) to external sub-domain and asked to consent to… whatever.
User consents, form containing state (and other stuff) as inputs is posted back to {tenant_domain}/continue but the response returned is a 400, with a pretty clear error indicating state wasn’t specified.

Action code

// encode token
const buildSessionToken = (user, domain, redirectSecret, api) => {

    const token = api.redirect.encodeToken({
        secret: redirectSecret,
        expiresInSeconds: 3600,
        payload: {
            state: 'some_state',
    return token;

// redirect user
    const tenantDomain = exports.TENANT_DOMAINS[];
    const redirectSecret = event.secrets['redirectSecret'];
    const token = buildSessionToken(event.user, tenantDomain, redirectSecret, api);
    api.redirect.sendUserTo(redirectToURL, {
        query: {
            session_token: token

// response
status 400
error: Unable to process redirect callback. This is often caused by calling the /continue endpoint without specifying the state parameter.

At this point, the onContinuePostLogin callback has absolutely nothing in it, and is never reached, i.e. not even validating the token that’s sent back. I’ve been following this guide Redirect with Actions (thank you for that), and still not having any luck. Perhaps there’s some peripheral issue I’m not seeing?

Some questions:

  1. Should the “redirect” back to /continue be a POST, as the guide above instructs?
  2. The domain I’m posting back to is the tenant being authenticated against, right?
  3. Is the API expecting the state that I’ve encoded in the JWT to be sent back, or literally the state that’s been appended to the initial redirect, and just sent back to /continue?