Skip to main content
Auth0 recommends the transition to HTTPS-based callbacks using Android App Links and Apple Universal Links whenever possible for all native applications using the Authorization Code Flow to enhance security and mitigate risks of application impersonation and phishing attacks. In addition, Auth0 is introducing a change in how the service handles custom URI schemes. More specifically, for authentication requests specifying a custom URI scheme as the callback, a login confirmation prompt can now be used in scenarios that would previously return a response without requiring user interaction. For example, in a single sign-on (SSO) scenario, if authentication request requirements can be satisfied from an existing authenticated session, the service will display the new login confirmation prompt instead of seamlessly returning a response to the specified custom URI scheme/loopback URI callback. Review the User Confirmation Prompt section Measures Against Application Impersonation to learn more about the new prompt. For tenants who predate the availability of the new functionality, the previous behavior will remain the default until April 28th, 2026 to prevent an unexpected behavior change. However, it is strongly recommended that you opt-in before this date to use the new behavior for those tenants. Alternatively, you can opt out of using the additional confirmation prompt if strictly required.

How are you affected?

End-users logging in to client applications that already specify or plan to specify a custom URI scheme or loopback URI callback may be required to explicitly confirm the login by interacting with the new login confirmation prompt. Your end-users may perceive this change as a declining user experience. Additionally, authentication requests including prompt=none will be rejected when Applications use non-verifiable callback URIs and are configured to use the new login confirmation prompt.

Actions

Auth0 strongly recommends transitioning to HTTPS-based callbacks using Android App Links and Apple Universal Links whenever possible for all native applications using the Authorization Code Flow. Furthermore, in tenants where the default behavior changes after April 28th, 2026, you should explicitly select the behavior you require for authentication requests using custom URI schemes or loopback URI callbacks ahead of the system default change.

Review whether your applications are using Non-Verifiable Callback URIs

In tenants for which the Unconfirmed Login with Non-Verifiable Callback URI Redirects migration toggle is available and in an enabled state, authentication requests specifying a custom URI scheme or loopback URI will generate a deprecation notice tenant log unless you have explicitly set the following option at the application or tenant level: skip_non_verifiable_callback_uri_confirmation_prompt These tenant logs contain the client identifier of the application performing the request. You can monitor these tenant logs through the Auth0 Dashboard using the following query: 
type:depnotetype:depnote AND description:Unconfirmed\ Login\ with\ Non-Verifiable\ Callback\ URI\ Redirects*

Opt in to new login confirmation prompt

To opt-in to the new login confirmation prompt ahead of time and enhance security for authentication flows using custom URI schemes or loopback URIs, complete the following steps through your Auth0 Dashboard:
  1. Navigate to Auth0 Dashboard > Tenant Settings > Advanced.
  2. In the Migrations section, turn off the Unconfirmed Login with Non-Verifiable Callback URI Redirects toggle.

Opt out of new login confirmation prompt

If, after evaluating the security considerations, you decide against using the new login confirmation prompt, you can configure specific applications or the whole tenant to opt out of the new behavior. You can do so through your Auth0 Dashboard. The application-level setting takes precedence over the tenant-level setting. Ensure you configure application-specific settings before changing the tenant-level setting to avoid unintended behavior changes. For example, you may want to skip the Non-Verifiable Callback URI End-User Confirmation for some specific applications while, by default, showing it for other applications, or vice versa. To opt out for specific applications:
  1. Navigate to Auth0 Dashboard > Applications > Settings > Advanced Settings > OAuth.
  2. Locate and disable the Non-Verifiable Callback URI End-User Confirmation toggle and select Save. You may need to Override the tenant setting to allow permanently managing this configuration.
To opt out for the whole tenant:
  1. Navigate to Auth0 Dashboard > Tenant Settings > Advanced.
  2. Locate and disable the Non-Verifiable Callback URI End-User Confirmation toggle within the Login and Logout section and select Save. You may need to turn the setting on to allow permanently managing this configuration.
The Unconfirmed Login with Non-Verifiable Callback URI Redirects migration toggle only applies to tenants who predate the availability of the new confirmation prompt feature.This toggle can only be configured through the Auth0 Dashboard. Apart from the migration toggle, you can also configure the required tenant behavior via Auth0 Management API. In particular, you can perform the configuration at two levels:
  • Tenant-Level Configuration: You can manage the confirmation prompt behavior by setting the skip_non_verifiable_callback_uri_confirmation_prompt property via the Update Tenant Settings endpoint.​
  • Application-Level Configuration: To override the tenant-level setting for specific applications, set the same skip_non_verifiable_callback_uri_confirmation_prompt property via the Update Client endpoint.
For additional information and guidance on configuring your applications, read Measures Against Application Impersonation.
I