Auth0 · Clerk · Guide
Auth0 / Clerk callback URL mismatch in production
Short answer
Both Auth0 and Clerk require every callback URL to be explicitly allow-listed. Preview deploys, custom domains, and even http://localhost variants are all checked exactly — one missing entry breaks the whole flow for that environment.
Symptoms
- Auth0: “Callback URL mismatch. The provided redirect_uri is not in the list of allowed callback URLs.”
- Clerk: “redirect_url is not in the list of allowed redirects”.
- Sign-in works on localhost but fails on the deployed URL.
- Each PR preview breaks auth because the .vercel.app URL is new.
Common causes
- Production / custom domain not added to Allowed Callback URLs.
- Wildcards used in a provider that doesn't support them (Auth0 supports * — Clerk does not).
- http:// vs https:// mismatch.
- Trailing slash difference between code and dashboard entry.
- Logout URL allow-list also out of sync (causes redirect loop after logout).
How DeployDoc checks this
- Reads code references to redirectUri / afterSignInUrl and compares to provider settings.
- Lists missing callback + logout URLs per environment.
- Detects unsupported wildcard patterns on Clerk.
- Flags http/https and trailing-slash drift.
Fix it manually
- Auth0: Application → Settings → Allowed Callback URLs / Logout URLs / Web Origins. Add every deploy domain.
- Clerk: Configure → Paths and Authorized redirect origins. Add each origin explicitly (no wildcards).
- Keep http://localhost entries for development; production uses https only.
- Match trailing slash exactly between code and dashboard.
- After change, sign out + back in to refresh tokens.
When to run a DeployDoc diagnosis
Before going live on a custom domain, and any time PR preview URLs start breaking auth.