To everyone who contributed to this thread, we thank you for your input and your advocacy for making Auth0 more developer-friendly and better accommodate CI/CD scenarios.
We are pleased to inform you that, as of today, wildcards may be used in subdomains in the Allowed Web Origins URL for applications. You can read more about the announcement in our Support Center notification (Auth0 Support Center). Allowable wildcard patterns are consistent with other Application URLs, as explained in our documentation (Subdomain URL Placeholders).
As many of you are already aware, the OAuth BCP guidance states that exact match URLs should be used to guard against attack vectors. For production applications, Auth0 still recommends that you follow these guidelines.
Thank you for your continued support!