OAuth error
OAuth redirect_uri_mismatch.
This error means the provider compared the registered callback URL with the app-sent redirect_uri and found a byte-level mismatch before token exchange started.
Failure stage
Authorization request built: the app sent a provider auth URL.
Failed first: provider callback URL comparison.
Not reached yet: authorization code handling, client secret validation, token exchange, and scopes.
Evidence-to-cause matrix
| Evidence | Likely cause | First check |
|---|---|---|
http:// sent, https:// registered | Scheme mismatch | Fix canonical site URL and provider callback before changing credentials. |
www.example.com sent, example.com registered | Host mismatch | Pick one production host and make app and provider match exactly. |
| Same path with one extra trailing slash | Path equality mismatch | Copy the app-generated callback into provider settings, or update app config. |
App sends ?source=oauth | Query string mismatch | Confirm whether the provider requires the query to be registered too. |
| Provider shows callback mismatch before login completes | Redirect comparison failed before token exchange | Do not debug client secret, scopes, or refresh tokens yet. |
Bad input example
Provider dashboard:
https://example.com/oauth/callback
App sends:
http://www.example.com/oauth/callback/
Error:
redirect_uri_mismatchCorrected pattern
Provider dashboard:
https://example.com/oauth/callback
App sends:
https://example.com/oauth/callback
Pattern to verify in your environment.What this is not
- It is not usually a client secret problem; the token request has not started.
- It is not fixed by adding every possible callback URL to production without understanding the canonical URL.
- It is not a scope problem unless the provider accepts the redirect and then rejects requested permissions.
- It is not solved by regenerating refresh tokens before the callback URL matches.
Do this first / not yet
Do this first
- Copy the exact app-sent
redirect_urifrom the authorization URL. - Compare scheme, host, port, path, trailing slash, and query string.
- Confirm the app is using the production OAuth client, not a staging or localhost client.
Do not do this yet
- Do not regenerate client secrets.
- Do not change token exchange code.
- Do not widen OAuth scopes to solve a callback mismatch.