"Clear-Site-Data" Header Clears Auth0 Cookies and Breaks the Login Flow

Sessions
Sep 10, 2025
Overview
The below error is shown when end-users try to log in, after inputting their credentials:

A user has attempted to access a login page directly. This is not supported unless a \"Application Login URI\" is set for your application, or a \"Tenant Login URI\" is set for your tenant. For more information, see: https://auth0.com/docs/universal-login/default-login-url"
Applies To
  • login
  • cookies
  • state
Cause
There is an HTTP header called "Clear-Site-Data" that most browsers support.

If the server returns that mentioned header, it instructs the browser to clear cookies for that domain.

If any used resource (images, icons, etc) as part of the universal login that, when loaded, returns that header, the login flow will break because Auth0 tracks the login flow using cookies. Please see Clear Site Data for more details.
Solution
Review that the resources being used do not contain the header "Clear-Site-Data".

Recommended content

No recommended content found...
Need more help? Visit the Community
Visit the Auth0 Community