Update application-settings.mdx

main/docs/get-started/applications/application-settings.mdx

@@ -45,12 +45,28 @@ When you edit an existing application's settings or create a new application, yo
 <Frame>![Dashboard Applications Application Settings Application URIs](/docs/images/cdy7uua7fh8z/1QhW2i4fTCCp8owey2tMPI/a19f7fc3f84118920d0e5cb2357144da/Application_URIs.png)</Frame>
 
 * **Application Login URI**: In some scenarios, Auth0 will need your application to redirect to your application's login page. This URI needs to point to a route in your application that redirects to your tenant's `/authorize` [endpoint](https://auth0.com/docs/api/authentication#authorize-application). It would usually take the form of `https://myapp.org/login`. To learn more, read [Configure Default Login Routes](/docs/authenticate/login/auth0-universal-login/configure-default-login-routes).
-* **Allowed Callback URLs**: Set of URLs to which Auth0 is allowed to redirect users after they authenticate. You can specify multiple valid URLs by comma-separating them (typically, to handle different environments like QA or testing). For production environments, verify that the URLs do not point to localhost. You can use the star symbol as a wildcard [placeholder for subdomains](/docs/get-started/applications/wildcards-for-subdomains) (`*.google.com`).
-  If you are using the Organizations feature, for production applications, you can use `{organization_name}` as a placeholder to dynamically specify a registered organization’s name in a URL (`https://{organization_name}.exampleco.com`). URLs with the `{organization_name}` placeholder should only be used on domains that you fully control (for example, `https://{organization_name}.exampleco.com` where you control the `exampleco.com` domain).
-
-  Do not use wildcard placeholders or localhost URLs in your application callbacks or allowed origins fields. Using redirect URLs with wildcard placeholders can make your application vulnerable to attacks. To learn more, read [Unvalidated Redirects and Forwards Cheat Sheet on owasp.org](https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet). Instead, URLs with the `{organization_name}` placeholder should be preferred, where relevant. To learn more, read [Subdomain URL Placeholders](/docs/get-started/applications/wildcards-for-subdomains).
-* **Allowed Logout URLs**: After a user logs out from Auth0 you can redirect them with the `returnTo` query parameter. The URL that you use in `returnTo` must be listed here. You can specify multiple valid URLs by comma-separating them. For production environments, verify that the URLs do not point to localhost. You can use the star symbol as a wildcard placeholder for subdomains (`*.google.com`). Notice that query strings and hash information are not taken into account when validating these URLs. See [Logout](/docs/authenticate/login/logout). You can provide up to 100 URLs in the **Allowed Logout URLs** field.
-* **Allowed Web Origins**: List of URLs from where an authorization request using [Cross-Origin Authentication](/docs/authenticate/login/cross-origin-authentication), [Device Flow](/docs/get-started/authentication-and-authorization-flow/device-authorization-flow), and `web_message` as the response mode can originate from. You can specify multiple valid URLs by comma-separating them. For production environments, verify that the URLs do not point to localhost. You can use the star symbol as a wildcard placeholder for subdomains (`*.google.com`). Paths, query strings, and hash information are not taken into account when validating these URLs (and may, in fact, cause the match to fail). You can provide up to 100 URLs in the **Allowed Web Origins** field.
+* **Allowed Callback URLs**: Set of URLs to which Auth0 is allowed to redirect users after they authenticate. You can specify multiple valid URLs by comma-separating them (typically, to handle different environments like QA or testing). For production environments, verify that the URLs do not point to localhost. You can use the following placeholders in this field:
+  * **Wildcards**: Use `*` for subdomains (`*.google.com`) _Not recommended for production environments._
+  * **Organization placeholders**: Use `{organization_name}` to dynamically specify a registered organization's name (for example, `https://{organization_name}.example.com`). 
+  * **Custom Domain placeholders**: Use `{custom.domain.metadata.KEY}` to dynamically populate the URL based on metadata from the custom domain used in the request (for example, `https://{custom_domain.metadata.public_app_url}/callback`).
+<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
+The first URL listed in this field is taken as the default callback URL when the corresponding protocol flow does not explicitly specify one. This applies specifically to SAML, WS-Fed, and SAML IdP-initiated SSO flows.
+</Callout>
+Do not use wildcard placeholders or localhost URLs in your application callbacks or allowed origins fields. Using redirect URLs with wildcard placeholders can make your application vulnerable to attacks. To learn more, read [Unvalidated Redirects and Forwards Cheat Sheet on owasp.org](https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet). Instead, URLs with the `{organization_name}` placeholder should be preferred, where relevant. To learn more, read [Subdomain URL Placeholders](/docs/get-started/applications/wildcards-for-subdomains).
+* **Allowed Logout URLs**: After a user logs out from Auth0, you can redirect them with the `returnTo` query parameter. The URL that you use in `returnTo` must be listed here. You can specify multiple valid URLs by comma-separating them. For production environments, verify that the URLs do not point to localhost.
+  * **Wildcards**: Use `*` for subdomains (`*.google.com`) _Not recommended for production environments._
+  * **Custom Domain placeholders**: Use `{custom.domain.metadata.KEY}` to dynamically populate the URL based on metadata from the custom domain used in the request (for example, `https://{custom_domain.metadata.public_app_url}/callback`).
+* **Allowed Web Origins**: List of URLs from where an authorization request using [Cross-Origin Authentication](/docs/authenticate/login/cross-origin-authentication), [Device Flow](/docs/get-started/authentication-and-authorization-flow/device-authorization-flow), and `web_message` as the response mode can originate from. You can specify multiple valid URLs by comma-separating them. For production environments, verify that the URLs do not point to localhost. Paths, query strings, and hash information are not taken into account when validating these URLs (and may, in fact, cause the match to fail). You can provide up to 100 URLs in the **Allowed Web Origins** field.
+  * **Wildcards**: Use `*` for subdomains (`*.google.com`) _Not recommended for production environments._
+  * **Custom Domain placeholders**: Use `{custom.domain.metadata.KEY`} to dynamically populate the URL based on metadata from the custom domain used in the request (for example, `https://{custom_domain.metadata.public_app_url}/callback`).
+* **Allowed Origins (CORS)**: List of URLs that are allowed to make Cross-Origin Resource Sharing (CORS) requests to Auth0.
+  * **Custom Domain placeholders**: Use `{custom.domain.metadata.KEY}` to dynamically populate the URL based on metadata from the custom domain used in the request (for example, `https://{custom_domain.metadata.public_app_url}/callback`).
+
+<Warning>
+If you configure your Application URLs exclusively using Custom Domain placeholders, authentication requests made via your tenant's canonical domain (for example, https://your-tenant.us.auth0.com) will fail.
+
+This occurs because the canonical domain does not have the custom metadata required to resolve the placeholder. Ensure your application uses the specific Custom Domain for authentication, or provide a static fallback URL if canonical domain usage is required.
+</Warning>
 
 ### ID Token
 
@@ -139,4 +155,4 @@ View endpoint information for OAuth, <Tooltip tip="Security Assertion Markup Lan
 * [Configure Applications with OIDC Discovery](/docs/get-started/applications/configure-applications-with-oidc-discovery)
 * [Confidential and Public Applications](/docs/get-started/applications/confidential-and-public-applications)
 * [First-Party and Third-Party Applications](/docs/get-started/applications/confidential-and-public-applications/first-party-and-third-party-applications)
-* [Check Error Messages](/docs/troubleshoot/basic-issues/check-error-messages)
+* [Check Error Messages](/docs/troubleshoot/basic-issues/check-error-messages)