Login Request URL callback with # instead of?


When trying to login / authenticate, we are receiving the access_token response on our callback page.

So far so good.
The problem is that the request auth0 is sending, have a # symbol instead the ?



Because of this URL format, the page input parameter ‘access_token’ allways shows empty.

Basically, our system is ignoring all caracteres next to the # char (included), because this is not the normal protocol (? char is expected instead of #)

Is this a bug?
Any way to solve this?
Missing some configuration?

We discovered this “# thing” using chrome inspect (network). Image in attach.


Anyone can help or give a hint on this?


:wave: @goncalo.barata I believe this is expected, are you using the implicit grant? Everything after the # is the hash fragment, I believe you’ll need to extract the token Implicit Flow with Form Post

The success response of the implicit grant by default contains the requested tokens as part of the URL fragment component (example: https://example.com/callback#id_token=wsx…) and is meant to be used by browser-based applications (SPA’s) that have their logic running on the client-side since it won’t be sent to the server that hosts your web page. Once you have the access token you can use it in in the Authorization header when you call the API endpoint.

Please let me know if this is your use case!

Hi Kim.

Thanks for your reply.

Our appplication is Client-Server type.

So after your response we uncheck the ‘implicid’ option and left only the ‘client_credentials’ and ‘refresh_token’ options.

But now we are getting a 403 error (image attached


Are we missing something?

NOTE: we are using as login page, a hosted page configured in dashboard.


:wave: I apologize for the delay reply, I must have missed your reply. is it a webapp that is making calls to an api on your server? Were you able to solve your issue?