How come "Allowed Web Origins" does not allow wildcards?

This thread is a major let down. I’m very wary of using auth0 in a multi-tenant application at this point. In fact, I’m not sure my use-case is even possible.

We plan on having different projects hosted on our service, each with a vanity subdomain.,, etc. End-users may visit multiple projects so I’d like to not have to require sign in multiple times. The number of projects probably won’t be too many, but could definitely approach mid 4-digits.

Option 1 would be to use the management API to add callback urls to my Application for each project. That’s a hassle compared to the desired wildcard urls… but not terrible either. That’s way over this 100 url “soft limit” though. It would help to have some clarity on what the hard limit is, if any. This obviously isn’t something I can just hope isn’t a problem later on.

Option 2 would be to create multiple Applications to represent each project. Here I also worry about running into unpublished limits since I’d be creating potentially thousands of these. Even more problematic, if users browse from foo → bar they will be requesting credentials using a different client id and (presumably?) have to sign in again.