Issue with Callback URL Mismatch

Hi Support Team,

I hope this message finds you well. I am currently facing an issue with Auth0 while using wildcards in the Callback URL configuration.

In the Auth0 dashboard, I have configured the Callback URL as http://*.localhost:3000/api/auth/callback. The login process works fine on the Auth0 login site when initiated from http://test.localhost:3000. However, after the login, the callback URL seems to be incorrect, resulting in the following error:

CallbackHandlerError: Callback handler failed. CAUSE: Missing state cookie from login request (check login URL, callback URL, and cookie config).

Upon further investigation, it appears that the login cookie is created under the domain http://test.localhost:3000, while the callback URL is set as http://localhost:3000/api/auth/callback?code=UupJEMc9

Can you guide me on how to solve this?

Thank you for your assistance.

Best regards,

Hey tehre @german1 ! Welcome to Auth0!

It looks like the way you use wildcard will not work.

Please take a look at this topic (wildcards with localhost:port) - Wildcards for subdomain callbacks not working

General guidance for wildcards - Subdomain URL Placeholders


I tested using another path in the url like and still happens.

We deployed the project in amplify and we keep getting the same error, it doesn’t only happen in local environment.

We deployed and configured under a url like this https://*
If we execute the login from the callback url is set as

Hey @german1 , thank you for following up.

I double checked locally by initializing auth0 client to callback to a single level subdomain callback URL like and allowing https://* on my Auth0 tenant and it works well.

However, unfortunately, it will not work with multilevel subdomains.

I tested with only one subdomain and the final callback url throw a page error.
Could you share with us the repo and the tenant config that you use?

Hi @german1 ,

I don’t think the issue is with the callback mismatch. A few members had a similar issue ad the reason were outdated packages. Here’s a topic for reference.

I am using the repo associated with this doc for a Single Page App.
For the URL you can use any specific single subdomain URL.

To test it, it’s enough to send an /authorize request (an example below) with a redirect_uri param set to any specific single subdomain url (in the request neither in your app code do not use any wildcard; wildcard only in Auth0 tenant’s settings for a specific app like https://* to initiate the login flow and once authenticated, to be redirected to your page.


Hope this helps!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.