Tenant's and Application’s Default Login Route

In certain cases (described below), Auth0 could need to redirect back to the application's login initiation endpoint, using OIDC Third Party Initiated Login.

You can configure these URIs in Application Settings or Tenant Advanced Settings.

You can also do this using the Management API:

Application level

Tenant level

The login_url should point to a route in the application that ends up redirecting to Auth0's /authorize endpoint, e.g. Note that it requires https and it cannot point to localhost.

Scenarios for redirecting to the default login route

Users bookmarking the login page

When an application initiates the login process, it navigates to https://YOUR_DOMAIN/authorize with a set of required parameters. Auth0 then redirects end-users to a https://YOUR_DOMAIN/login page, with a URL that looks like:


The state parameter points to a record in an internal database where we track the status of the authorization transaction. Whenever the transaction completes, or after X time passes, the record is deleted from the internal database.

Sometimes users bookmark the login page, and when they navigate to the bookmarked /login URL, the transaction record is no longer there and Auth0 cannot continue with the login flow. In that case, Auth0 will redirect to the default client URL if configured, or the tenant level URL if not. If no default login URL is set, Auth0 will render an error page.

Completing the password reset flow

When the password reset flow is completed and the default URI for the application or tenant is configured, users will see a button that will let them navigate back to the login page.

This behavior only happens when the New Universal Login Experience is enabled. In Classic mode, you will need to configure the Redirect URL in the Password Reset Email Template.