Password reset switches application context on shared tenant with custom domain

robert.gerace · January 26, 2026, 12:13pm

I have a single Auth0 tenant with two separate applications:

App A (UAT) - for our staging environment at uat.example.com
App B (Production) - for our production environment at app.example.com

Both applications use the same custom domain (e.g., auth.example.com).

The Problem:

When a user initiates a password reset from the production application:

They start at app.example.com → redirected to auth.example.com/authorize?client_id=[prod-client-id]…
On the Universal Login page, the footer correctly shows “Back to App B” (production)
User clicks “Forgot Password” and receives the reset email
User clicks the reset link, changes their password successfully
After the password change, the page footer now shows “App A” (UAT)
User is redirected to uat.example.com instead of app.example.com

The application context is switching from production to UAT somewhere during the password reset flow, even though the initial request clearly used the production client_id.

What I’ve Verified:

Production app’s Allowed Callback URLs, Logout URLs, and Web Origins only reference app.example.com
UAT app’s URLs only reference uat.example.com
Application Login URI on production is correctly set
Email templates are configured for production
Tried passing client_id explicitly when creating password change tickets via Management API - same result
All environment variables in production servers are correct

Question:

Has anyone experienced this issue where the password reset flow switches application context on a shared tenant? Is there something in how Auth0 handles password reset that defaults to the first application or ignores the originating client_id?

Any insight would be appreciated. I’ve also opened a support ticket but wanted to check if others have encountered this.

vlad.murarasu · January 26, 2026, 3:21pm

Hi @robert.gerace,

Welcome to the Auth0 Community!

The issue typically occurs because the password reset ticket loses its association with the original client_id during the transition between the login page and the reset email. Even if the initial /authorize request has the correct client_id, the Change Password email template must be explicitly configured to forward that context back to the reset success page.

The most likely culprit in your case is that the Redirect To field in your Change Password email template is either blank or pointing to a static URL. If it’s blank, Auth0 sometimes falls back to the “first” application it finds or the Tenant-level default, which explains why your users are landing on the UAT app footer.

Typically, environments should be created in separate tenants rather than in separate apps within the same tenant, since all apps in a tenant share the same connections and user pools. This will completely solve the problem much more easily and is the official way to set up multiple environments. You can check our official docs for more details on how to set them up:

Although it is recommended that you set up multiple tenants, if you don’t want to, if you want to keep using the same tenant, you can ensure the client_id is dynamically handled in your email template and that each application knows where to “return” to.

1. Set the Application Login URI

Ensure both applications have the Application Login URI field populated (not just the Callback URLs).

Go to Applications > Applications > [Your App] > Settings.
Locate Application Login URI.
For App B (Prod), set it to: https://app.example.com/login (or your specific login route).
For App A (UAT), set it to: https://uat.example.com/login.

2. Update the Change Password Email Template

You must ensure the email link includes the client_id from the originating request.

Navigate to Branding > Email Templates and select Change Password.
In the Redirect To field, use the following Liquid syntax: {{ application.callback_domain }} or specifically handle the client:

{% if client_id == 'PROD_CLIENT_ID' %}
  https://app.example.com/login
{% else %}
  https://uat.example.com/login
{% endif %}

Crucial Step: Ensure the URL Lifetime is sufficient and the Redirect To field is actually used. If you are using the Management API to create tickets, ensure you explicitly pass the result_url parameter.

3. Verification of the Link

Check the link inside the actual email received by the user. It should look something like: https://auth.example.com/lo/reset?ticket=...# If you append &client_id=[PROD_ID] to your Management API ticket generation call, Auth0 uses that client_id to look up the correct branding and “Back to” link for the success page.

We still, however, encourage you to set up multiple tenants.

If you have any further questions, please don’t hesitate to reach out.

Have a good one,
Vlad

Topic		Replies	Views
Unable to use my application for redirect url text Get Help password-reset , redirecturi	4	3735	October 23, 2019
Redirect back URL after reseting password Get Help login-experience , reset-password-prompt-new-experience	8	5728	March 2, 2023
Bug in reset password flow Product Feedback	0	91	November 20, 2024
How to enable the 'Back To app' button on the Password Reset Success screen Get Help auth0 , password-reset , reset-password	2	5596	March 18, 2022
Change Password Ticket for Universal Login - Redirect URI at the Application Level Get Help	4	1813	July 19, 2022

Password reset switches application context on shared tenant with custom domain

1. Set the Application Login URI

2. Update the Change Password Email Template

3. Verification of the Link

Related topics