Available since 1.43.0


Beginning in version 1.43.0 FusionAuth provides support for wildcards in OAuth 2.0 redirect URLs and origin URLs. This document provides details on where wildcards are allowed in configured values and the valid replacement patterns for wildcards in each position.

URL Validation Policy

In order to validate allowed authorized redirect and origin URLs containing wildcards, the URL validation setting must be configured to Allow wildcards under Applications -> Edit Application -> OAuth.

See the Application API or Application OAuth Configuration for details.

Allowed Wildcard Positions

In order to maintain security while allowing the flexibility of wildcards, FusionAuth limits the position and number of wildcards that are allowed in the configured authorized redirect and origin URLs. The asterisk character, *, is the wildcard character.


The domain of a configured URL allows 0 or 1 wildcards in the domain portion of the URL. Wildcards are not allowed if the host is specified by an IP address. If the domain contains a wildcard, it must meet all of the following requirements:

The following table provides some examples of valid and invalid wildcard patterns.

Domain Wildcards

https://*.comThe domain only contains two segments
https://auth.*.comThe wildcard does not appear in the host
https://*mid*.example.comThe domain contains multiple wildcards
https://*.168.1.1Wildcards are not allowed with IP addresses


The port number can be specified as a wildcard. There is no partial wildcard support for the port number.

Port Wildcards

https://example.com:4*Partial wildcards are not allowed for the port number

Path Segments

Wildcards are allowed in path segments with the following restrictions:

The following table provides some examples of valid and invalid wildcard patterns in the path.

Path Wildcards

https://example.com/path/*mid*/resourceThe path segment contains multiple wildcards

Query String Values

Wildcards are allowed in query string values with the following restrictions:

Wildcards are not allowed in query string names. The following table provides some examples of valid and invalid wildcard patterns in the query string.

Query String Wildcards

https://example.com?foo=par*tialPartial wildcard replacement is not allowed for query string values
https://example.com?*=blahWildcards are not allowed in query string names

Wildcard Replacement Patterns

The position where wildcards are allowed in configured values is just one half of the puzzle. Wildcards in each portion of the URL have different rules for the replacement values. Please note that allowed replacement values may not produce a valid URL. This section provides details on the allowed replacements for wildcards in each portion of the URL. Each wildcard in the configured value must match one or more characters. Matches against empty strings will fail.


Replacements for wildcards in the domain portion of the URL must not contain ., :, /, or ? characters. The following table lists examples of valid and invalid replacements for valid wildcard patterns.

Domain wildcard replacement

https://auth*.example.comhttps://auth.example.com The value does not contain a character to replace the *
https://*.example.comhttps://auth.customer.example.comThe replacement contains a . character


Replacement values for wildcards in the port portion of the URL must consist of one or more decimal digits.

Port wildcard replacement

https://example.com:https://example.com:80bThe replacement value contains a non-numeric character

Path Segments

Replacement values for wildcards in a path segment of the URL must not contain / or ? characters.

Path segment wildcard replacement

https://example.com/path/*/resourcehttps://example.com/path/to/the/resourceThe replacement value contains a /
https://example.com/path/*https://example.com/path/resource?foo=barThe replacement value contains a ?
https://example.com/*/par*tial/*https://example.com/path/partial/resourceThe segment partial does not contain a replacement character for the wildcard

Query String Values

Replacement values for query string values must not contain the & character.

Query string value wildcard replacement

https://example.com?foo=*https://example.com?foo=bar&baz=blahThe replacement value contains an & character
https://example.com?foo=*https://example.com?baz=blah&foo=barThe replacement value contains an extra query string parameter