This article explains the behavior of the consent screen for non-verifiable callback Uniform Resource Locators (URLs) and details how tenant settings and domain formats impact its visibility. It describes the conditions under which the security confirmation prompt appears during authentication flows.

• Auth0
• Tenant Settings
• Application Configuration
• Non-Verifiable Callback URLs

1. Configure the tenant Settings.

1. 1. For tenants created before October 15, 2025, navigate to Advanced > Migrations in the tenant settings.
   2. Turn off the Unconfirmed Login with Non-Verifiable Callback URI Redirects toggle to enable new behavior.
      • NOTE: Tenants created after October 15, 2025, do not have this toggle as the behavior is active by default.

2. Enable the Feature Setting.

• • Enable the Non-Verifiable Callback URI End-User Confirmation toggle at the tenant or application level. For the tenant, navigate to Settings > Advanced tab; for the application, navigate to Settings > Advanced settings section.

3. Verify the Trigger Conditions.

1. 1. Ensure the application uses a non-verified callback URL, such as http://localhost.
   2. Test the flow in a context where authentication would complete without user interaction, such as an existing session or silent authentication.
      • NOTE: The consent screen is designed to intervene when a user is redirected back to a non-verifiable URL without a prompt.

4. Validate the Domain Formats.

• • Use a standard localhost address (for example, http://localhost:3000) to trigger the consent screen.
  • Avoid using the .localhost Top-Level Domain (TLD) (for example, http://app.localhost), as the system treats subdomains of the .localhost TLD as verifiable and will not trigger the confirmation prompt.

Related References

• Migrate to Non-Verifiable Callback URI End-User Confirmation
• Measures Against Application Impersonation