Fix Google OAuth (redirect_uri_mismatch)

When you see Error 400: redirect_uri_mismatch, the redirect URI in the request does not match an authorized URI in the Google Cloud Console. Per Google's OAuth 2.0 docs, the value must exactly match: same scheme (https), same case, and no trailing slash.

1. Google Cloud Console

You must set both Authorized redirect URIs and Authorized JavaScript origins. Missing JavaScript origins often cause redirect_uri_mismatch even when the redirect URI is correct.

Open Google Cloud Console → Credentials.
Click your OAuth 2.0 Client ID (Web application).
Authorized JavaScript origins (scroll to this section first): click ADD URI and add your app origin(s):
- Production / preview: https://orinel.vercel.app (from NEXTAUTH_URL or NEXT_PUBLIC_SITE_URL)
- Local dev: your dev origin (same host/port as npm run dev), e.g. http://localhost:<port> and http://127.0.0.1:<port> if you use loopback.
No trailing slash. Use http for local HTTP.
Authorized redirect URIs: click ADD URI and add this exact value (no trailing slash):
```
https://zlmqgjzfdojaizcpyvid.supabase.co/auth/v1/callback
```
Click Save. Wait 1–2 minutes, then try again.

2. Supabase Dashboard — Google provider

If you see "Unable to exchange external code", Supabase does not have Google configured. Add the same Client ID and Secret from Google Cloud Console here.

Open Supabase Dashboard → your project → Authentication → Providers.
Open Google, enable it, and paste your Client ID and Client Secret from Google Cloud Console (same OAuth client). Save.

3. Supabase Dashboard — URL Configuration

Go to Authentication → URL Configuration.
Set Site URL to your app origin (same as NEXTAUTH_URL / deployment URL).
Under Redirect URLs, add your app callback paths (no trailing slash), e.g. <YOUR_ORIGIN>/auth/callback for each origin you use (production, preview, local dev).
The app uses the current browser origin for the redirect when signing in, so whitelist every origin you use.
Save.

4. Retry

Restart the dev server and try "Continue with Google" again.

Still not working?

"Unable to exchange external code" = Google is not configured in Supabase. Use Authentication → Providers → Google with the same Client ID and Secret as in Google Cloud Console.

Confirm Authorized JavaScript origins includes every origin you open the app from (production URL and local dev).
If you added the redirect URI twice, you can leave it or remove the duplicate; both are valid.
Try an incognito/private window or clear cache, then click "Continue with Google" again.
In Supabase Dashboard → Authentication → URL Configuration, ensure Site URL and Redirect URLs match NEXTAUTH_URL and your callback routes.

← Back to login

1. Google Cloud Console

You must set both Authorized redirect URIs and Authorized JavaScript origins. Missing JavaScript origins often cause redirect_uri_mismatch even when the redirect URI is correct.

Open Google Cloud Console → Credentials.

Click your OAuth 2.0 Client ID (Web application).

Authorized JavaScript origins (scroll to this section first): click ADD URI and add your app origin(s):

Production / preview: https://orinel.vercel.app (from NEXTAUTH_URL or NEXT_PUBLIC_SITE_URL)
Local dev: your dev origin (same host/port as npm run dev), e.g. http://localhost:<port> and http://127.0.0.1:<port> if you use loopback.

No trailing slash. Use http for local HTTP.

Authorized redirect URIs: click ADD URI and add this exact value (no trailing slash):

https://zlmqgjzfdojaizcpyvid.supabase.co/auth/v1/callback

Click Save. Wait 1–2 minutes, then try again.

2. Supabase Dashboard — Google provider

If you see "Unable to exchange external code", Supabase does not have Google configured. Add the same Client ID and Secret from Google Cloud Console here.

Open Supabase Dashboard → your project → Authentication → Providers.

Open Google, enable it, and paste your Client ID and Client Secret from Google Cloud Console (same OAuth client). Save.

3. Supabase Dashboard — URL Configuration

Go to Authentication → URL Configuration.

Set Site URL to your app origin (same as NEXTAUTH_URL / deployment URL).

Under Redirect URLs, add your app callback paths (no trailing slash), e.g. <YOUR_ORIGIN>/auth/callback for each origin you use (production, preview, local dev).

The app uses the current browser origin for the redirect when signing in, so whitelist every origin you use.

Save.

Still not working?

"Unable to exchange external code" = Google is not configured in Supabase. Use Authentication → Providers → Google with the same Client ID and Secret as in Google Cloud Console.

Confirm Authorized JavaScript origins includes every origin you open the app from (production URL and local dev).

If you added the redirect URI twice, you can leave it or remove the duplicate; both are valid.

Try an incognito/private window or clear cache, then click "Continue with Google" again.

In Supabase Dashboard → Authentication → URL Configuration, ensure Site URL and Redirect URLs match NEXTAUTH_URL and your callback routes.