Route provided to redirectUri holding onto hash value after redirect

When providing a redirectUri to auth0 js, after successful login, lets say the route provided to redirectUri is localhost:8080/, after login, the url shows as localhost:8080/#access_token=xxxxxx. Is there anyway to just hard redirect to that route without including the access token? Is this intended behavior?


Hey there @scott.stern06! This was covered best in the past by one of our senior engineers as mentioned below:

Based on the response you’re getting your application performed a request that used response_type=token+id_token and a response_mode=fragment (or did not specify a response mode as fragment is the default for this response type).

In order to not have tokens in the URL, you need to use a different response type or different response mode. For example, either just response_type=code or response_type=token+id_token&response_mode=form_post would technically remove tokens from being present in an URL, however, your application would now need to support handling responses in accordance to those parameters.

We also have a doc on this subject when it comes to redirecting users after login. Please let me know if this helps you in your quest! Thanks!

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.