A Redirect URI (also called a Callback URL or Reply URL) is a pre-registered, whitelisted web address to which an OAuth 2.0 authorization server sends the user-agent (typically a browser) after a user has granted or denied permission to an application. This URI is where the authorization server delivers the authorization code or access token, enabling the client application to proceed with the authentication or data access process. Its primary function is to prevent open redirection attacks by ensuring that sensitive credentials are only sent to a URI the developer has explicitly declared as trustworthy.
LABS
Glossary
Redirect URI
A Redirect URI is a pre-registered callback URL where an authorization server sends the user-agent back after authentication, carrying the authorization code or tokens.
Chainscore © 2026
definition
OAUTH & SECURITY
What is a Redirect URI?
A Redirect URI is a critical security component in OAuth 2.0 and OpenID Connect protocols, acting as a trusted callback endpoint for authorization flows.
During the OAuth flow, the client application initiates the request by specifying the redirect_uri parameter. The authorization server validates this against its list of pre-registered URIs for that client. If it matches, the server redirects the user back to that exact URI, appending the authorization grant as a query parameter or fragment. For example, a common redirect URI for a web application might be https://app.example.com/auth/callback. This precise matching, including the protocol (https), host, port, and path, is a cornerstone of the protocol's security model, preventing tokens from being intercepted by malicious sites.
There are several types of redirect URIs for different application architectures. Web server applications use URIs pointing to their backend server. Single-page applications (SPAs) and native mobile apps often use loopback IP addresses (e.g., http://localhost:8080/callback) or custom URI schemes (e.g., myapp://callback) for local handling. The choice impacts the flow's security; for instance, the PKCE (Proof Key for Code Exchange) extension is strongly recommended for public clients like SPAs and mobile apps to secure the code exchange even when using a local redirect.
Misconfiguration of the redirect URI is a common source of security vulnerabilities. An attacker can exploit an application that allows arbitrary or poorly validated redirect URIs to steal authorization codes or tokens in a redirect URI manipulation attack. Therefore, developers must register full, exact URIs and avoid using wildcards or incomplete paths unless explicitly supported and understood. The validation must be case-sensitive and consider all URI components to ensure a strict match.
how-it-works
AUTHENTICATION MECHANISM
How a Redirect URI Works in the OAuth 2.0 Flow
A technical breakdown of the Redirect URI's critical role in securely exchanging authorization codes and tokens between an application and an OAuth 2.0 authorization server.
A Redirect URI (also called a Callback URL or Reply URL) is a pre-registered endpoint in a client application that receives the authorization code or access token from an OAuth 2.0 authorization server after a user grants consent. This URI is the secure return address where the authorization server sends the user's browser back to the application, completing the critical handoff of credentials. Its exact match against a pre-configured list on the server is a fundamental security control to prevent authorization code interception attacks, such as those where a malicious actor attempts to redirect the flow to a site they control.
During the standard Authorization Code flow, the client application initiates the process by directing the user's browser to the authorization server's /authorize endpoint, including the redirect_uri as a query parameter. After the user authenticates and approves the requested permissions, the authorization server validates that the provided redirect_uri exactly matches one of the URIs registered for that client. Upon successful validation, the server redirects the user's browser back to this URI, appending either an authorization code (for confidential clients) or an access token (for public clients using the Implicit flow, now largely deprecated) in the URL fragment or query string.
The security implications of the Redirect URI are paramount. The requirement for an exact match—including protocol (http vs https), host, port, and path—mitigates open redirection vulnerabilities. For native or mobile applications, special URI schemes like myapp://callback are used. Developers must also protect against CSRF (Cross-Site Request Forgery) by associating a unique, unguessable state parameter with the initial request and verifying it upon receipt at the redirect URI. Mismanagement of redirect URIs, such as using wildcards incorrectly or failing to enforce HTTPS in production, is a common source of security flaws in OAuth implementations.
In practical deployment, the Redirect URI is where the client application's front-end and back-end components often hand off. The front-end receives the code or token from the URL and typically passes it to the application's back-end server. For the Authorization Code flow, the back-end then exchanges the short-lived authorization code for a secure access token and often a refresh token via a direct, server-to-server POST request to the authorization server's /token endpoint, a step that keeps the tokens hidden from the user's browser and enhances security.
key-features
OAUTH 2.0 & OPENID CONNECT
Key Features of a Redirect URI
A Redirect URI is a critical security component in OAuth 2.0 and OpenID Connect flows, acting as the callback endpoint where authorization servers send users and tokens after authentication.
01
Pre-Registered Endpoint
The Redirect URI must be pre-registered with the authorization server (e.g., Google, MetaMask) during client application setup. This prevents open redirection attacks by ensuring tokens are only delivered to a known, trusted endpoint controlled by the application developer. The server will reject authorization requests with unregistered or mismatched URIs.
02
Exact String Matching
Authorization servers perform exact string matching between the URI in the authorization request and the pre-registered list. This includes the full scheme (https), host, port, and path. Common pitfalls leading to mismatch errors include:
- Trailing slashes (
/) - Incorrect ports
- Using
http://localhostvs.http://127.0.0.1 - Dynamic query parameters in the registered URI.
03
Token & Code Delivery
This URI is the callback endpoint that receives the authorization response. In the Authorization Code flow, it receives a short-lived code. In the Implicit flow (now discouraged), it directly receives the access token and potentially an ID token in the URI fragment (#). The application must extract these credentials securely from the URL.
04
Security Boundary
The Redirect URI defines a critical security boundary. By ensuring tokens are sent only to a pre-registered HTTPS endpoint, it prevents leakage to malicious sites. For native or mobile apps, custom URI schemes (e.g., myapp://callback) or loopback IP addresses are used, as they cannot register standard HTTPS URLs.
05
State Parameter Handling
The Redirect URI endpoint must validate the state parameter returned by the authorization server. This opaque value, sent in the initial request, is used to maintain state between the request and callback, mitigating Cross-Site Request Forgery (CSRF) attacks by ensuring the response is from a legitimate authentication session.
06
Common Types & Examples
Web Application: https://app.example.com/oauth/callback
Local Development: http://localhost:3000/auth/callback
Native Mobile App: Custom scheme like com.example.app://oauth-redirect or exp://127.0.0.1:19000/--/auth/callback.
Public Client (SPA): https://spa.example.com (often the root, as the SPA handles routing).
security-considerations
REDIRECT URI
Security Considerations & Best Practices
A Redirect URI (or Callback URL) is a critical security component in OAuth 2.0 and OpenID Connect flows, specifying the exact location to which an authorization server can send a user (and an authorization code) after authentication. Proper validation is essential to prevent attacks.
01
Definition & Core Purpose
A Redirect URI is a pre-registered, whitelisted URL endpoint to which an authorization server (like an OAuth provider) sends the user's browser after successful authentication, along with an authorization code or access token. Its primary security function is to prevent authorization codes from being delivered to malicious sites, a flaw known as an open redirect attack. The authorization server performs an exact string match between the URI in the authorization request and its pre-registered list.
02
Exact Match Validation
The most critical security practice is exact string matching of the entire Redirect URI. This includes:
- Protocol (
httpsvshttp) - Host (full domain)
- Port (if specified)
- Path (exact path components)
- Query parameters (order may or may not be enforced)
For example, a registered URI of https://app.com/callback must not match https://app.com/callback/ (trailing slash) or http://app.com/callback (insecure protocol). Looser validation can lead to account takeover.
03
Common Attack Vectors
Improper Redirect URI handling enables several high-severity attacks:
- Open Redirectors: If an app has an open redirect endpoint (e.g.,
?redirect=parameter), an attacker can use it as a proxy to receive stolen authorization codes. - Subdomain Takeover: If a wildcard or poorly validated subdomain is registered (e.g.,
*.example.com), an attacker who claims an unused subdomain can intercept tokens. - Client-Side Request Forgery: Malicious JavaScript in a compromised but whitelisted URI can steal tokens from the fragment or query string.
- Native App Schemes: For mobile apps, custom URI schemes (e.g.,
myapp://callback) must be claimed exclusively to prevent hijacking by other installed apps.
04
Best Practices for Implementation
To secure Redirect URIs, developers should:
- Use HTTPS exclusively for web URIs to prevent code interception.
- Register full, specific URIs; avoid wildcards and overly broad paths.
- Implement the Proof Key for Code Exchange (PKCE) flow for public clients (like mobile/SPA apps), which adds a cryptographic challenge that mitigates stolen authorization codes.
- For native apps, use App Links (Android) or Universal Links (iOS) for HTTPS-based callbacks, which are verified via digital asset links.
- Validate state parameters rigorously to maintain session integrity and prevent CSRF.
06
Example: Secure vs. Insecure Registration
Secure Registration:
https://wallet.secureapp.com/oauth/callbackcom.secureapp.mobile://oauth(with proper OS-level claim)
Insecure Registration (Vulnerable):
https://*.app.com/*(Wildcard allows attacker subdomains)http://app.com/callback(Unencrypted protocol)https://app.com/redirect?goto=(Open redirector endpoint)https://app.com(Root domain; any path on the site could be used, like a malicious page uploaded later)
Always register the exact, full endpoint where your application handles the OAuth response.
AUTHENTICATION & AUTHORIZATION
Redirect URI vs. Similar Concepts
A comparison of the Redirect URI with related web and OAuth 2.0 concepts, highlighting their distinct roles in user authentication flows.
| Feature / Concept | Redirect URI | Callback URL | Postback URL | Webhook Endpoint |
|---|---|---|---|---|
Primary Use Case | OAuth 2.0 / OpenID Connect user-agent redirection | General asynchronous operation completion notification | Server-to-server payment or data confirmation | Event-driven, real-time notifications from a service |
Initiation Direction | Client to Authorization Server, then back to Client | Service Provider to Client Application | Third-party (e.g., payment processor) to Merchant Server | Service Provider to Subscriber's Server |
Transport Mechanism | HTTP 302/303 redirect via user's browser | HTTP GET/POST request (often server-to-server) | HTTP POST request (server-to-server) | HTTP POST request (server-to-server) |
Payload Contains | Authorization code or access token in URL query/fragment | Result data or reference ID in request body/parameters | Transaction confirmation data in request body | Structured event data (e.g., JSON) in request body |
User Involvement | Required (flow occurs in user's browser) | Typically none (background server operation) | None | None |
Security Validation | Exact string match against pre-registered URIs | Often uses shared secrets or signature verification | Uses signatures (e.g., HMAC) or IP whitelisting | Uses signatures, tokens, or secret verification |
Common Protocols/Context | OAuth 2.0, OpenID Connect | Generic API callbacks, long-running jobs | Payment gateways (e.g., PayPal IPN), ad networks | SaaS platforms, blockchain oracles, CI/CD systems |
did-auth-context
SECURITY MECHANISM
Redirect URI in Decentralized Identity (DID Auth)
A Redirect URI is a critical security component in Decentralized Identity (DID) authentication flows, acting as a trusted callback endpoint for authorization responses.
A Redirect URI (also called a Callback URL) is a pre-registered, whitelisted web address to which an OpenID Connect (OIDC) or OAuth 2.0 provider, such as a DID Auth service, sends the user back after an authentication or authorization attempt. This mechanism prevents attacks like open redirects by ensuring that sensitive authorization codes or tokens are only delivered to a URI explicitly declared and validated by the Relying Party (RP) or client application during its initial registration with the identity provider.
In a typical DID Auth flow using SIOPv2 (Self-Issued OpenID Provider v2), the Relying Party includes its approved redirect_uri in the Authentication Request. The user's wallet or identity agent, acting as the OpenID Provider, validates that this URI matches one of the client's registered URIs. Upon successful verification, the wallet redirects the user back to this exact URI, appending the authorization response containing the ID Token (a Verifiable Presentation or JWT) in the URL fragment or as a POST response, completing the authentication handshake.
Security best practices mandate that Redirect URIs must use HTTPS in production (with http://localhost allowed for development), be compared using exact string matching, and should not contain wildcards or user-controlled parameters that could facilitate injection attacks. Mismanagement of Redirect URIs is a common vulnerability, so protocols like OAuth 2.0 and frameworks like Solid OIDC enforce strict validation to maintain the integrity of the decentralized authentication process and protect user credentials.
common-misconceptions
OAUTH & SECURITY
Common Misconceptions About Redirect URIs
A Redirect URI is a critical component of OAuth 2.0 and OpenID Connect flows, yet its security implications are often misunderstood. Clarifying these points is essential for robust application security.
01
A Redirect URI is Not Just a URL
A Redirect URI is a pre-registered, exact string match required by the authorization server. It's not merely a domain or a path. Common mistakes include:
- Assuming
https://app.com/callbackandhttps://app.com/callback/are the same (they are not). - Using wildcards incorrectly or where not supported.
- Forgetting that the fragment component (
#) is never sent to the server.
02
It's Not Only for User Redirection
While the user is redirected to this URI, its primary security function is as a binding mechanism. It ensures the authorization code or token is delivered only to a client application the developer has explicitly registered and controls. This prevents attackers from intercepting credentials by using a malicious callback endpoint.
03
Localhost is Valid and Critical for Development
A common misconception is that http://localhost or http://127.0.0.1 are insecure and shouldn't be used. They are explicitly permitted in the OAuth 2.0 RFC and are essential for local development and testing. The security model relies on the loopback interface being accessible only to the local machine.
04
Custom URL Schemes Are Not Inherently Insecure
For native mobile/desktop apps, custom URI schemes (e.g., myapp://callback) are a standard and secure pattern. The misconception is that they are vulnerable. The real risk is scheme hijacking if another app registers the same scheme. Best practice is to use Proof Key for Code Exchange (PKCE) and, on mobile, App Links or Universal Links for stronger validation.
05
The Redirect URI Must Be HTTPS in Production
Using http:// (without TLS) in a production environment is a severe vulnerability, except for loopback URIs. This exposes the authorization code or access token to man-in-the-middle attacks. The authorization server should reject non-HTTPS URians for public clients. This is a non-negotiable requirement for web applications.
06
It's Not a Place for Passing Sensitive Data
The redirect URI query string or fragment should never be used to transmit secrets like client secrets or long-lived tokens. The OAuth flow is designed to pass short-lived authorization codes or tokens in the redirect, which are then exchanged securely server-side. Passing sensitive data directly in the URI can lead to exposure in browser history, logs, and referrer headers.
REDIRECT URI
Frequently Asked Questions (FAQ)
A Redirect URI is a critical component in OAuth 2.0 and OpenID Connect flows, acting as a security mechanism for authorizing applications. This FAQ addresses common developer questions about its purpose, configuration, and security implications.
A Redirect URI (also called a Callback URL or Reply URL) is a pre-registered endpoint in your application that an authorization server, like an OAuth provider, sends the user back to after they grant or deny permission. It works by completing the authorization code flow: after a user authenticates on the provider's site, the server attaches an authorization code (or an access token in the implicit flow) to this URI as a query parameter or fragment. Your application must then exchange this code for an access token. This mechanism prevents credentials from being sent to unintended destinations, forming a core security control. For example, when you "Sign in with Google," you are redirected back to a URI like https://yourapp.com/auth/callback.
ENQUIRY
Get In Touch
today.
Our experts will offer a free quote and a 30min call to discuss your project.
NDA Protected
Confidentiality24h Response
Time to ValueDirectly to Engineering Team
No Sales Fluff10+
Protocols Shipped
$20M+
TVL Overall