Firebase rejects continue URLs that point to domains outside Authentication → Settings → Authorized Domains, so email-action or redirect flows fail with auth/unauthorized-continue-uri. Whitelist the domain and make sure ActionCodeSettings.url uses that host before sending links.
Firebase evaluates continue/redirect URLs (ActionCodeSettings.url) against your project's Authorized Domains list before issuing password reset, email verification, email sign-in, or OAuth redirect links. If the hostname is missing from that list, Firebase blocks the request to prevent open redirect abuse and surfaces auth/unauthorized-continue-uri before the link is even sent. This usually happens when you plug in a new custom domain, deep subdomain, Firebase Dynamic Links host, or localhost address that hasn't been added to Authentication → Settings. When the continue URL fails this whitelist, the backend reports the domain as "not whitelisted" even though the rest of the request is valid. Firebase uses the exact hostname to match the configured list, so changing the hostname or using a previously unseen redirect host triggers this error until that host is explicitly authorized.
Log the ActionCodeSettings.url that you pass to Firebase and make sure it matches the host you want to trust:
const actionCodeSettings = {
url: 'https://app.example.com/auth/email-link-complete',
handleCodeInApp: true
};
await sendSignInLinkToEmail(auth, email, actionCodeSettings).catch((error) => {
console.error('Firebase error:', error.code, error.message);
});If the logged host is different from the domain you see in the browser, update the URL builder so the domain matches the one you are about to authorize.
1. Open Firebase Console → Authentication → Settings.
2. Scroll to “Authorized domains” and click “Add domain”.
3. Enter the hostname from your continue URL, for example app.example.com, project-id.firebaseapp.com, or auth.example.page.link.
4. Click Save.
Only the hostname matters—paths and query strings are ignored—so make sure you add the exact host that appears in ActionCodeSettings.url.
If you serve the continue route through Firebase Hosting, a Dynamic Links domain, or a custom redirect like yourapp.page.link, add that host as well. Firebase treats each host separately, so adding example.com does not cover subdomain.example.com or project-id.page.link. After updating the list, redeploy or restart the service so the new domain propagates.
Reinvoke the email-action or redirect call and confirm it now resolves:
try {
await signInWithEmailLink(auth, email, actionCodeSettings);
console.log('Link sent or handled successfully');
} catch (error) {
console.error('Still failing:', error.code, error.message);
}If you still see auth/unauthorized-continue-uri, verify the console log again and compare the domain to the list in Firebase Console.
Authorized domains act as a whitelist that protects Firebase action links from being redirected to arbitrary hosts. Firebase matches only the hostname, so you must add app.example.com, auth.example.com, or any Firebase Dynamic Links host exactly. Projects created after April 28, 2025 no longer include localhost automatically, so add it manually when debugging locally. Once the hostname is authorized, Firebase will allow the continue/redirect URL to flow while still rejecting unlisted hosts to prevent phishing and open redirect attacks.
messaging/UNSPECIFIED_ERROR: No additional information available
How to fix "messaging/UNSPECIFIED_ERROR: No additional information available" in Firebase Cloud Messaging
App Check: reCAPTCHA Score Too Low
App Check reCAPTCHA Score Too Low
storage/invalid-url: Invalid URL format for Cloud Storage reference
How to fix invalid URL format in Firebase Cloud Storage
auth/missing-uid: User ID identifier required
How to fix "auth/missing-uid: User ID identifier required" in Firebase
auth/invalid-argument: Invalid parameter passed to method
How to fix "auth/invalid-argument: Invalid parameter passed to method" in Firebase