Auth0 Home Blog Docs

Receiving error state does not match with lock 11




My team is attempting to migrate to Lock 11 from v9 and auth0-js 9 from v7. However, for email/password login we are receiving a error: “invalid_token”, errorDescription: "state does not match." as the error on ‘authenticated_error’. Before this we never saw this error (even on lock 10), I also do not retrieve any profile data (although the state/token are being set by auth0 in localStorage)

For further context, here is the authService file, modified for the migration:

indent preformatted text by 4 spaces

export default class AuthService {

constructor (clientId, domain) {
// Configure Auth0
this.lock = new Auth0Lock(clientId, domain, {
autoclose: true,
auth: {
params: {
scope : ‘openid’
sso: true,

this.lock.on('authenticated', function authenticateLock (authResult) {
this.lock.on('authorization_error', (error) => console.log('Authentication Error', error));
this.login = this.login.bind(this)

login (callback) {


the auth class is being instantiated per the example in

dependencies include:
“dependencies”: {
“auth0-js”: “^9.3.2”,
“auth0-lock”: “^11.3.1”,
“react”: “^15.6.2”,
“react-dom”: “15.6.2”,
“react-router”: “2.8.0”,



The Lock configuration you showed does not explicitly set a state ( so one should be generated automatically and then Lock when parsing/validating the response would use the one it generated.

Can you provide an HTTP trace associated with an authentication attempt that results in the issue in question? Ideally, use something other than Chrome to capture the trace as Chrome tends to not store response bodies to save space and that may impact the troubleshooting. Also be sure to redact any sensitive information like passwords or use throw away test users to perform the authentication.