Skip to content

Redirect URI

A redirect URI is an endpoint where Scalekit redirects users post-authentication with the identity provider (IdP). In the Scalekit dashboard, you can configure up to 5 redirect URIs per environment.

Since redirect URIs can be manipulated by unauthorized parties, Scalekit requires pre-registration of all redirect URIs used in login flows. Registration can be done in the Scalekit dashboard.

Redirect URIs that are configured in the Scalekit dashboard must adhere to specific validation rules for security:

Validation ruleDevelopment environmentProduction environment
Schemes supported
http https
https
localhost
Allowed
Not allowed
Wildcard support (*)
Allowed
Not allowed
Max URI length256 characters256 characters
Query parameters
yourapp.com/callback?query=value
Not allowed
Not allowed
Fragment component
yourapp.com/callback#fragment=value
Not allowed
Not allowed

According to the OAuth 2.0 specification, a redirection URI must be an absolute URI. But, to make development and testing easier - this restriction is slightly relaxed in the development environments.

For development, wildcards can simplify testing. However, they must follow these rules:

Validation ruleExample
Wildcard characters are not allowed as a root-level domain
https://*.com
https://*.acmecorp.com
https://auth-*.acmecorp.com
A redirect URI can have only one wildcard character
https://*.*.acmecorp.com
https://*.acmecorp.com
Wildcard character must be located in a subdomain within the hostname component
https://acmecorp.*.com
https://*.acmecorp.com
Wildcard must be part of the subdomain that is farthest from the hostname component
https://auth.*.acmecorp.com
https://*.auth.acmecorp.com