GitHub OAuth error
GitHub OAuth callback URL mismatch.
GitHub OAuth apps have a Homepage URL and an Authorization callback URL. A production callback failure usually means the callback field, app registration, or environment URL is wrong.
Failure stage
GitHub authorize URL sent: the app started OAuth with a client ID.
Failed first: GitHub callback URL comparison or wrong OAuth app registration.
Not reached yet: access token request and GitHub API permissions.
GitHub evidence matrix
| Evidence | Likely cause | First check |
|---|---|---|
| Callback URL field contains site homepage | Homepage/callback confusion | Put the exact callback route in Authorization callback URL. |
| Production app sends localhost callback | Dev callback left in config | Switch environment variables to production callback. |
| Multiple GitHub OAuth apps exist | Wrong client ID in production | Edit the app whose client ID appears in the request. |
| Callback path changed after deployment | Framework route mismatch | Compare app route config with GitHub callback field. |
| www differs from non-www | Canonical host mismatch | Use one production host in app and GitHub settings. |
Bad GitHub setup
Homepage URL:
https://example.com
Authorization callback URL:
http://localhost:3000/auth/github/callback
Production app sends:
https://example.com/auth/github/callbackCorrected pattern
Homepage URL:
https://example.com
Authorization callback URL:
https://example.com/auth/github/callback
Pattern to verify in your environment.What this is not
- It is not a GitHub token permission issue until GitHub accepts the callback and returns a code.
- It is not fixed by changing repository permissions on the OAuth app.
- It is not the Homepage URL field unless that field was copied into the callback field.
- It is not solved by regenerating the client secret first.