State is being altered on Auth0 (Proven at Rule)

This one is in the weeds so probably need a auth0 guru to respond.


  • I am using auth0.js and lock to authenticate.
  • Passing in a state
  • Using Rules

All is working well except one scenario. I am passing in the state and on callback it comes back correctly. However in my situation I pass the state back to my API in a RULE.

Here is the kicker - the state is what I expect to receive in all situations EXCEPT when the user uses Username-Password and is not remembered.

So if I login using any social provider - WORKS
If I login as username and password - first time it FAILS (state is no longer the value I sent in)
If I relogin and it remembers my username and password - WORKS

The state I am sending in is a GUID for example: 99999999-9999-9999-9999-999999999999
What I see when it is failing is a 32 character string - and it is different on each call, example: LypO4is6v8fKG3CgLqU0sVFmAJoQr6Y6

PS You may come back and tell me I should not be relying on state at the RULE level. If this is the answer what is the best way to send in a GUID that will be passed through to the RULE.

I mispoke – I am not using lock but just auth0.js

Hey there!

Sorry for the delay in response. We’re doing our best in providing you with best developer support experience out there, but sometimes there are too many questions to handle. Sorry for the inconvenience!

Do you still require further assistance from us?