Second application instance throws 'The provided redirect_uri is not in the list of allowed callback URLs' error

Apologies if something like this already exists…I have searched multiple times and found nothing.
website1 = ‘
website2 = ‘
Lets say I have an application at website1 with a client id of ‘abcde’. It has an api configured for it and it all works fine. The audience for this site is website1.

Now I want to have a separate application at in Auth0 with a new url website2 with a client id of ‘54321’ and a new api. All looks fine in Auth0. The audience will still be website1 as I understand from the docs. When I try to load the new application at website2, I’m getting a ‘The provided redirect_uri is not in the list of allowed callback URLs’ error - I can see the redirect_uri contains the clientid ‘abcde’ which suggests it’s pointing at the wrong application. What am I doing wrong?

Welcome to the Auth0 Community, @aleksandar.kirilov!

I can see two topics here. The first one would be questions regarding how to use APIs/audiences in Auth0 and the second is the actual error you are receiving: The provided redirect_uri is not in the list of allowed callback URLs. I will start with the first one, which is represented by the quotes below:

First of all, I want to clarify some things about what you’ve said above just in case they help:

Audiences are for APIs. Not for applications. They are configured when creating a new API as shown below. Also, is your API audience really website1? Is that your API endpoint? I would expect you to use a URL instead. In addition to that, the name is really unexpected. “website1” is related to a web application instead of to an actual API:

When you say you want a new application with a new API, what do you mean? Are you going to use a different API i.e. a new backend/custom API on your side? Otherwise, registering a new API on Auth0 is not needed. APIs on Auth0 represent a backend/API on your side.

This question can have different answers depending on the architecture of your solution. What docs are you following? The audience will vary or stay the same depending on your use case. Actually, two different implementations can work, one having a single API and hence audience and another one having two or more APIs registered and hence audiences. It all depends on what your backend expects and how it is ultimately implemented. I suggest you read Configure Logical API for Multiple APIs in case you want to learn more about this topic.

Now, I will discuss the The provided redirect_uri is not in the list of allowed callback URLs error:

First of all, I would like to clarify what the following sentence means:

What does this mean? Does this just mean that you have an application with client_id: 54321 running on your domain:

This error means that you are calling an endpoint (I’m assuming it is /authorize with a redirect_uri that’s not included on your application’s Allowed Callback URLs list). You can choose what redirect_uri is used when you call /authorize and you can add that URL via your application’s Settings tab → Allowed Callback URLs option.

You are the one who chose to use abcde. Why are you doing this? As I said in the previous item, you can choose what redirect_uri is used when you call /authorize. Also, abcde is not an URL, it is the client_id of the first application, which is clearly wrong.

I hope some of this helps.

Hi Ali,

Thanks for getting back to me. Apologies with the explanation above - as a newbie I couldn’t add more than 2 links so for figured I could write anything and edit if needs be. I couldn’t work out how to edit so gave up.
Your explanation did help me to understand how things hang together a lot better so thank you. Managed to solve my problem too…I have a deployment that uses config transforms so all the values are now being set correctly but was still complaining. Upon further investigation in turned out to be some hard-coding left in the frontend code for testing purposes.



Ooohhh! Glad to hear that!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.