How to read auth0 state parameter


I am looking for a way to read state parameter value on auth0 login page.

I am interested in state value that my app has passed while redirecting to /authorize?client_id=<client id>&state=<custom value>.

The state value we see on /login page is encoded. Is there a way to see whats inside that?

Thanks in advance.

Hi @shubham.goyal,

The state parameter is a unique, unguessable string string that is base64 encoded. The state is used to prevent CSRF attacks. You can read more about state here: Prevent Attacks and Redirect Users with OAuth 2.0 State Parameters

This topic walks through how the state is used in auth0-spa-js package: Redirecting Users with State Parameters

Thanks for replying… I understand the state concept and I have no issue with implementing it.

I am implementing a flow where I need to know user’s last location from where app initiated the login. this last location is passed by apps in state parameter while redicrecting to /authorize endpoint. this state values gets encoded and sent with /login endpoint. Now on this login page I need to know what was the original state value that app sent while redirecting to /authorize endpoint.

The purpose of this to achieve deep linking in registration flow. I want to retain the state so that I can redirect my user back to the page after email verification from where they started.

I asked another question with more detailed flow I am trying to acheive here but unfortunatly got no suggestion so far. How to read state that application sent to /authorize endpoint

I will really appritiate if you can show me some direction.


Ah okay! Are you following the flow described here?: Redirect Users From Within Rules

I know about this as well… I think I have read almost every page of your documentation site :slight_smile:

My problem is I need to retain the state for signup not login. signup involve verification hence we loose the original state. I need to retain that state with my verificaiton link so I can redirect my user properly…

think it like → I have to intitiate the same /authorize URL that user did intially but this time after verification.