A callback URL (also called a redirect URI) is the address the OAuth provider sends the user back to after they authorize. It's the return address both sides agree on before the process starts.
You drop off clothes at the dry cleaner and leave your phone number. When the clothes are ready, they call you at that number. A callback URL works the same way — your app gives the OAuth provider a URL upfront, and the provider redirects the user back to that URL once authorization is complete.
When you register your app with Google or GitHub, you provide a callback URL like:
http://localhost:5173/oauth/google/callback
Since providers like Google allow multiple registered URLs (e.g. one for localhost, one for production), your app sends a redirect_uri parameter in each authorization request to specify which one to use. The provider checks that it matches one of the pre-registered URLs — if it doesn't, the request is blocked. This prevents attackers from intercepting the authorization code by redirecting to a different site.
You'll typically have two callback URLs:
| Environment | Callback URL |
|---|---|
| Local | http://localhost:5173/oauth/google/callback |
| Production | https://yourapp.vercel.app/oauth/google/callback |
Google lets you register multiple redirect URIs on the same OAuth app.
GitHub allows only one per app, so you'll create a separate OAuth app for production.