For authentication to work, you need to add callback URLs into your app.

• An Allowed callback URL (also known as a redirect URI) is the web address where a user is sent after they authenticate.
• An Allowed logout redirect URL is where they go when they sign out - sometimes these are the same as the allowed callback URLs.

1. In Kinde, go to Settings > Applications.
2. View the details of an application.
3. In the Allowed callback URLs section, enter a callback URL. For example https://[YOUR_SERVER_URL]/kinde_callback
4. In the Allowed logout redirect URLs field, enter a redirect URL. For example, enter your website address or the URL for a custom logout screen. Make sure you also register the redirect URL in your application settings.

Currently wildcards can’t be used in callback URLs.

As an immediate solution, we are extending our Kinde management API to allow management of callbacks in a graceful manner. This means if you are deploying code to a dynamically generated subdomain - using a tool like Vercel - you can add the subdomains as callback URLs.

You can also use the appstate which is available as part of the onRedirect callback. There’s an example of usage in the React docs and some of our other SDKs.

Meanwhile, we are looking into an approach of securely handling wildcards.

Kinde does not currently provide the ability to distinguish between a sign in and new registration, when the user lands on the callback URL.

We recommend that you map the Kinde user IDs to your internal users. Then when the token from Kinde gets verified,

• if the user doesn’t exist: continues with sign up flow
• if the user does exist: continues with sign in flow

We don’t include this information in the token because it’s possible to create a user via an API, or in the admin UI (via custom import).