Auth0 Home Blog Docs

Password reset and then login sends invalid callback url



We just went live with a new tenant and we are seeing behavior where the password reset form sends the wrong callback url.

Steps to reproduce

  1. Press reset password link, auth0 lock pops up in reset mode
  2. Enter address, press send email, banner turns green and waits for login
  3. in another browser complete the process.
  4. Come back to original window and type in your new password, press login
  5. Invalid callback url. Our callback url is but its always sending and users get the invalid callback screen.

As a temporary workaround we have added the base path to our callback urls. At least then users are not getting an error screen ,just some frustration when they have to click login again.

Are we configuring this wrong?


Hey there @johnarmstrong

Could you go through the flow again and DM me with the HAR file + your tentant name so I can investigate it further?

Here’s some documentation when troubleshooting with a HAR file:

Thanks a lot!


Hi Konrad, Tenant name is production-higg. Links to files:

Demo video:



Hey @johnarmstrong sorry for my delay in response. Totally understand what you mean with the video however the HAR file doesn’t provide us with much info. Have you performed all the actions presented in the video before pulling out the HAR file?

I’ll try to reproduce the issue and get back to you with information!


However that’s probably what you were looking for @johnarmstrong:

The field name is Redirect To

Let me know if that helps!


You can redirect users to a specific page on the Allowed Callback URL using the following:


If your application has multiple Allowed Callback URLs configured, Auth0 will use the first URL listed.


Yup, that fixed it. So in this case ‘reset password’ uses ‘email redirectTo’ parameter when logging in after requesting a reset. This was confusing for me since its clear the the parameters in the email screen refer to the email and not a web-based flow. But since all password resets are email based I get how they are related now.

Fixed and great, thank you Konrad for chasing this one down for me!


Glad we made it work!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.