Kinde Auth Callback Issue on my domain
Issue Description:
During the authentication flow on custom domain, users receive the following error on the callback URL:
{"error":"The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client."}
Environment:
- Next.js App Router
- @kinde-oss/kinde-auth-nextjs package
- Production deployment on Vercel
Current Setup:
Callback URLs in Kinde dashboard:
http://localhost:3000/api/auth/kinde_callback
https://*.vercel.app/api/auth/kinde_callback
https://domain.com/api/auth/kinde_callback
Debug information shows:
User authentication succeeds
Callback URL receives 307 redirects
Cookie domain set to .domain.com
Environment variables appear correctly set in Vercel
it works on local host with no issues.
How to fix that? Where is the error: route.ts? middleware.ts? Vercel setup?
5 Replies
Hello Marcin. Thank you for the detailed debugging summary—it’s very helpful.
Since:
- The flow works locally, and
- Authentication succeeds in production (despite the callback error),
This suggests:
- No code/flow issues (as you noted).
- Unlikely to be a URL mismatch (Kinde’s UI usually flags this explicitly).
Potential root causes:
The error seems to stem from limitations of wildcards [1], combined with potential middleware conflicts and/or Vercel data state [2].
Have you checked the common issues with invalid callback URLs?
Troubleshoot ‘Invalid callback URL’ - A common error reported by new users is that they receive an ‘invalid callback URL’ message when testing their connection. If you get this error, check the following: - Make sure there are no spaces before or after the callback URL in your Kinde application. - Ensure the callback URL in your code exactly matches the callback URL in your Kinde application. - The Client ID in your code must exactly match the Client ID in your Kinde application. - If you’re testing with a cloud hosting solution, such as Vercel, redeploy your application each time you update the environment variables.Source: https://docs.kinde.com/get-started/connect/callback-urls/ One possible scenario is that you deployed the site, and updated certain environment variables later, which is generating this issue as the "updated" environment variables may be the correct ones. Have you tested that this does not work after you redeploy your Vercel app with the updated code that works in localhost and correct environment variables?
Kinde docs
Set callback and redirect URLs
Our developer tools provide everything you need to get started with Kinde.
2. Limitations with wildcards
From the code you shared, you seem to be using wildcards with your Vercel domain. Here are some notes to keep in mind, and I have highlighted the ones that may apply to your case given the details you shared:
- Root level domains are not allowed (.com is not allowed). - Only a single wildcard is allowed per callback (https://..hello.com is not allowed). - Wildcards are only allowed with http or https URL protocols (.hello.com, service:jmx:rmi://[host[:port]][urlPath] are not allowed). - Wildcard has to be in the leftmost subdomain (https://*.hello.com is allowed, https://hello.*.com is not allowed). - Wildcards with prefixes and suffixes are allowed (https://prefix-*-suffix.hello.com) - A URL with a valid wildcard will not match a URL with more than one subdomain level in place of the wildcard. (https://*.hello.com will not work with https://sub1.sub2.hello.com) - Certain well-known shared hosting domains require a suffix or prefix for the wildcard (*.vercel.app is not allowed as this opens up anyone to authenticate on the Vercel platform, but *something.vercel.app is allowed as this will lock callbacks to your team or personal account). - Wildcards are not supported as part of a URL path (https://sub1.sub2.hello.com/* is not allowed). You can use the post-login redirect (available in several SDKs) to achieve dynamic navigation after authentication.Source: https://docs.kinde.com/get-started/connect/callback-urls/#wildcard-limitations In the code you shared, one of your URLs match a case that is not allowed https://*.vercel.app/api/auth/kinde_callback , I would suggest changing it what the highlighted line recommends. 3. Additional recommendation: Using wildcards for production introduces some security risks, so this is suggested for non-production environments only.
We recommend using wildcards only for non-production purposes, as they present increased security risk.A more secure way of managing dynamic wildcards is to integrate with the Kinde Management API and manage them via API calls. There is a dedicated documentation page for this that happens to be focused on Vercel and Next.js. This is the link in case you are not already aware of it and feel interested: https://docs.kinde.com/developer-tools/sdks/backend/nextjs-sdk/#working-with-preview-urls Of course, it is up to you and what works for your case. Let me know if these helped so that I can assist your further in the case they were not helpful.
Thank you Nathalay for the explanations. I am not using wildcards on my setup (just mocked it for posting here publicly).
I am using my full production domain for the setup and just added full vercel temp domain as i noticed that it was showing in the logs as one of the domains that the request is coming through. Despite that i am using my production full domain name in the setup.
Your questions:
- One possible scenario is that you deployed the site, and updated certain environment variables later, which is generating this issue as the "updated" environment variables may be the correct ones. Have you tested that this does not work after you redeploy your Vercel app with the updated code that works in localhost and correct environment variables?
I have created dedicated debug page where all the Kinde settings are correctly displayed, and the user is logged in and authenticated in Kinde. The usera are created in Kinde anyway. The issue seems to be that callback url does not have the authenticating cookie and the routing with validated credentials is not happening
- Make sure there are no spaces before or after the callback URL in your Kinde application.
Checked
- Ensure the callback URL in your code exactly matches the callback URL in your Kinde application.
It is matching exactly. I am using only one callback URL in my code, but i have setup 3 in my kinde app settings
- The Client ID in your code must exactly match the Client ID in your Kinde application.
It is matching as the users are created
- If you’re testing with a cloud hosting solution, such as Vercel, redeploy your application each time you update the environment variables.
Yes I am doing that
What else I can provide to get support in the resolving this issue?
Failed link:
https://my.domain/api/auth/kinde_callback?code=hYpSCZzexoRyR_Nes6S1xtArY09GG0yh7E6NKHCncqs.HR52pW6Y2whC__tgVfcn2bgJgOOOf5yoF73eO4GlgoU&scope=openid%20profile%20email%20offline&state=c103b40931510f7dcc172dc2663d
this is what i can see in my logs:
✓ Compiled /api/auth/[kindeAuth] in 467ms
GET /api/auth/login?post_login_redirect_url=/chat 307 in 801ms
GET /api/auth/kinde_callback?code=dKf1C--wjyMoGEbZRHAH2jJcr0cSMh_nH7qfYhsa4VM.FW1x4ZZx3KsA014VrpdfYEwREzp4r2YafFwpgJnR9nQ&scope=openid%20profile%20email%20offline&state=f8e9b70da079dd7de526c8604b64 500 in 19ms
It looks like there is a server error when redirecting to kinde callback
Oh, okay. i thought it was a wildcard due to the format, but it is a domain. Can you share the exact redirect_url with the production or live domain instead of the endpoint?
/api/auth/kinde_callback?code=dKf1C--wjyMoGEbZRHAH2jJcr0cSMh_nH7qfYhsa4VM.FW1x4ZZx3KsA014VrpdfYEwREzp4r2YafFwpgJnR9nQ&scope=openid%20profile%20email%20offline&state=f8e9b70da079dd7de526c8604b64
That would be the request URL that you find in the Network tab with the failing call, such as in this example