How Can You Fix Error 400: Redirect_URI_Mismatch During Login?

[marcowayne]

While setting up authentication, I received error 400: redirect_uri_mismatch. What does this mean in OAuth or login setups, and how should the redirect URL be configured correctly?

 

[jameswill8520]

This error basically means the redirect URI sent during login does not exactly match the one registered with the OAuth provider. OAuth providers are very strict about this for security reasons. Even a small difference like http vs https, a missing slash, or a different subdomain can trigger error 400: redirect_uri_mismatch.

First thing to check: copy-paste the redirect URL from your app and compare it character by character with what’s in the provider dashboard.

 

[AngieMacal]

I ran into this with Google Sign-In. Turned out my app was sending

https://example.com/auth/callback

but Google Console had

https://www.example.com/auth/callback

That single www difference caused the redirect_uri_mismatch error. Once I added the exact URL, login started working instantly.

 

[Ragnar Lothbrok]

Another common mistake is mixing dev and production URLs.
For example, logging in from localhost:3000 but only having the production redirect URI registered. OAuth doesn’t allow “almost matching” URLs — every environment needs its own registered redirect.

Register:

• http://localhost:3000/callback
• https://yourdomain.com/callback

 

[TaylorTravels]

This strict behavior is intentional. If OAuth allowed flexible redirects, attackers could steal tokens by redirecting users to malicious URLs. That’s why error 400: redirect_uri_mismatch appears instead of silently failing.

So don’t try to “bypass” it always configure allowed redirect URLs properly.

 

[jimmy]

Frameworks can also confuse things. Some libraries auto-append parameters or paths. For example, NextAuth or Firebase might add /api/auth/callback/provider instead of what you expected.

Check the actual redirect URL being sent in your browser’s network tab not just what you think it is.