Right now there doesn't seem to be a way to change the callback URI, which automatically contains the Girder auth token.

Ideally I'd like a way (maybe it should be the default?) to not append a hash string at all. As of right now, it's creating malformed URLs with multiple hash strings in cases when the starting URL already contains a hash component.