OAuth environment error
OAuth localhost vs production callback mismatch.
This failure happens when the provider dashboard, environment variables, or plugin settings still point at localhost or staging while the live app sends a production callback, or the reverse.
Environment failure stage
OAuth client exists: the app can send an authorization request.
Failed first: callback URL belongs to a different environment.
Not proven yet: provider API permission, token storage, or refresh logic.
Environment matrix
| Evidence | Likely environment mistake | First check |
|---|---|---|
App sends localhost in production | Development env var deployed | Check production environment variables or plugin saved settings. |
| Provider only has staging URL | Production callback not registered | Add production callback to the production OAuth client. |
| Provider has production but app sends staging | Wrong base URL in app config | Fix site/app URL generation before editing provider settings. |
| Same provider project has dev and prod clients | Wrong client ID for environment | Match client ID, secret, and callback as a set. |
| Cloudflare/proxy changes HTTP to HTTPS externally | App generates internal HTTP callback | Fix trusted proxy/canonical URL settings. |
Bad environment split
Production env:
APP_URL=http://localhost:3000
OAUTH_CLIENT_ID=dev-client-id
Provider production callback:
https://example.com/oauth/callbackCorrected environment pattern
Production env:
APP_URL=https://example.com
OAUTH_CLIENT_ID=production-client-id
Provider production callback:
https://example.com/oauth/callback
Pattern to verify in your environment.Do this first / not yet
Do this first
- List the dev, staging, and production callback URLs separately.
- Confirm which OAuth client ID the live app is using.
- Fix the app-generated base URL before copying callbacks into every provider project.
Do not do this yet
- Do not mix dev and prod client secrets.
- Do not register localhost on a production client unless the provider and workflow intentionally allow it.
- Do not debug token storage until the callback matches.