code.
Why exact-match matters
The portal validates theredirect_uri parameter on every /authorize request against the allowlist registered for your app. Anything not on the allowlist is rejected — the authorize page stops with “This application’s redirect URL is not registered” before any redirect happens, so the code is never sent anywhere.
This is a security feature: if the allowlist weren’t enforced, an attacker could craft a phishing URL that sends the authorization code to their own server. Only a URL you control should be on your list.
How to register yours — self-service, instant
You manage your own redirect URIs on your app page in the Integrations Portal. There’s nothing to email and no Daysync review — a saved URL is enforced immediately.Open your app in the portal
Go to the Integrations Portal, open your application, and find the Redirect URIs section.
Add the URLs you need
Typically one URL per environment:
https://yourapp.com/oauth/daysync/callback(production)https://staging.yourapp.com/oauth/daysync/callback(staging)http://localhost:3000/oauth/daysync/callback(local development)
URL rules
| Rule | Why |
|---|---|
| Use HTTPS in production | Auth codes transmitted in cleartext over HTTP would be vulnerable to network interception |
| Localhost may be HTTP | Development convenience: http://localhost:<port> is fine for local testing |
No fragments (#...) | The browser strips fragments before redirect, so they’d never match |
| Must include the path if the URL has one | https://acme.com and https://acme.com/ are different from https://acme.com/callback |
Common mistakes
'This application's redirect URL is not registered'
'This application's redirect URL is not registered'
Your
/authorize redirect_uri doesn’t match your app’s allowlist character-for-character. Most common causes:- Trailing slash difference
- HTTP vs HTTPS
- URL-encoded (
https%3A%2F%2F…) when it should be plain - Subdomain mismatch (
acme.comregistered,www.acme.comsent)
redirect_uri value you’re sending and compare it against the entry saved on your app page — then add or correct it in the portal.redirect_uri mismatch at the token step
redirect_uri mismatch at the token step
The
redirect_uri in your /api/oauth/token request must be identical to the one you used in the /authorize request that produced the code. A mismatch returns 400 invalid_grant.Wildcard or pattern matching
Wildcard or pattern matching
Wildcards are not supported. If you have many environments, register each URL explicitly.
https://*.yourapp.com/callback will not match anything.Production hygiene
Once your production callback is registered, remove your localhost and Postman callbacks from your app’s Redirect URIs. Each entry is a potential phishing target — fewer entries means a smaller attack surface. Because registration is self-service, you can prune them yourself at any time.

