Sign-in works on your machine, but on the real domain Google bounces users to localhost:3000 — or throws redirect_uri_mismatch. This is the most common auth failure in AI-built apps, and the fix lives in three places at once.
The OAuth flow completed — then sent the user to a URL that only exists on the developer’s machine. Classic frozen-at-prompt-time config.
The provider refused before starting: the redirect your app requested isn’t on its allowlist. The production callback was never registered.
Same root cause, different door: reset links are built from the auth layer’s Site URL, which still points at dev.
The cruellest variant — the developer is on localhost, so the bug is invisible until a real user hits it.
When the app was generated, the only URL in existence was the dev preview. Every redirect URI, site URL and callback got set to it — and nothing forces an update at deploy time.
The OAuth provider (Google/GitHub console), your auth layer (Supabase Auth settings), and the app's own environment variables each hold a copy of the redirect URL. Any one still saying localhost breaks the chain.
Sign-in on the dev machine is the happy path. Fresh browser, new device, expired session, reset flow — that's where the frozen config surfaces.
Because Supabase's own Site URL and redirect allowlist is the second gate, and the deployed app's env vars are the third. All three must agree — check them in that order.
Same root cause — those links are built from the Site URL setting. Fix it, then run a real reset end to end in production.
Yes — allowlists take multiple entries; add production alongside localhost rather than replacing it. Just make sure Site URL points at production, since it's the default fallback.
If this guide gets you through, no. If auth has several broken paths at once — resets, sessions, roles — that usually signals wider config drift, which is what the $299 triage maps in 48 hours.
We fix the full auth surface — OAuth, sessions, resets, roles — inside every rescue sprint.
43+ happy clients · rated 4.9/5 · senior engineers on every build