Wildcard domains does not seem to work. Is specifying the port messing it up?

carl.erik.kopseng · April 20, 2026, 11:34am

I’m trying to avoid maintaining per-brand callback URLs in Auth0 for a whitelabel app.

We use domains like {brand}.example.com, {brand}.stage.example.com, and locally {brand}.localhost:3000.

Auth0’s docs say wildcard subdomains are allowed in Allowed Callback URLs, for example https://*.example.com, as long as the wildcard is in the leftmost subdomain. Based on that, http://*.localhost:3000/auth/callback appears like it should allow http://mybrand.localhost:3000/auth/callback.

But in practice Auth0 is rejecting that callback, even though the docs seem to allow it.

Is .localhost or .localhost:3000 treated differently from normal domains for wildcard callback matching, or is there another limitation here that isn’t obvious from the docs?

carl.erik.kopseng · April 20, 2026, 1:27pm

I might add, the wildcard works fine for non-loopback domains. Doing https://*.stage.example.com/auth/callback works fine for different subdomains.

Topic		Replies	Views
Problem with wildcard subdomains Get Help	1	4373	March 7, 2020
Alows multiple callback urls Get Help configuration , application	2	1443	August 29, 2023
Wildcards in callback URLs Get Help auth0 , callback-urls	7	5433	August 7, 2022
What are the security challenges why Auth0 does not allow wildcard at the end of the domain. For eg. example.com/* is not supported for allowed callback urls Get Help configuration , application	2	101	September 9, 2024
Wildcard Url's not matching in callback Get Help login , callback-urls , callback , wildcard , client-setup	3	7277	March 2, 2018

Wildcard domains does not seem to work. Is specifying the port messing it up?

Related topics