Redirect URLs
Set up redirect urls with Supabase Auth.
Overview
When using passwordless sign-ins or third-party providers, the Supabase client library methods provide a redirectTo parameter to specify where to redirect the user to after authentication. By default, the user will be redirected to the SITE_URL but you can modify the SITE_URL or add additional redirect URLs to the allow list. Once you've added necessary URLs to the allow list, you can specify the URL you want the user to be redirected to in the redirectTo parameter.
To edit the allow list, go to the URL Configuration page. In local development or self-hosted projects, use the configuration file.
Use wildcards in redirect URLs
Supabase allows you to specify wildcards when adding redirect URLs to the allow list. You can use wildcard match patterns to support preview URLs from providers like Netlify and Vercel.
| Wildcard | Description |
|---|---|
* | matches any sequence of non-separator characters |
** | matches any sequence of characters |
? | matches any single non-separator character |
c | matches character c (c != *, **, ?, \, [, {, }) |
\c | matches character c |
[!{ character-range }] | matches any sequence of characters not in the { character-range }. For example, [!a-z] will not match any characters ranging from a-z. |
The separator characters in a URL are defined as . and /. Use this tool to test your patterns.
Recommendation
While the "globstar" (**) is useful for local development and preview URLs, we recommend setting the exact redirect URL path for your site URL in production.
Redirect URL examples with wildcards
| Redirect URL | Description |
|---|---|
http://localhost:3000/* | matches http://localhost:3000/foo, http://localhost:3000/bar but not http://localhost:3000/foo/bar or http://localhost:3000/foo/ (note the trailing slash) |
http://localhost:3000/** | matches http://localhost:3000/foo, http://localhost:3000/bar and http://localhost:3000/foo/bar |
http://localhost:3000/? | matches http://localhost:3000/a but not http://localhost:3000/foo |
http://localhost:3000/[!a-z] | matches http://localhost:3000/1 but not http://localhost:3000/a |
Netlify preview URLs
For deployments with Netlify, set the SITE_URL to your official site URL. Add the following additional redirect URLs for local development and deployment previews:
http://localhost:3000/**https://**--my_org.netlify.app/**
Vercel preview URLs
For deployments with Vercel, set the SITE_URL to your official site URL. Add the following additional redirect URLs for local development and deployment previews:
http://localhost:3000/**https://*-<team-or-account-slug>.vercel.app/**
Vercel provides an environment variable for the URL of the deployment called NEXT_PUBLIC_VERCEL_URL. See the Vercel docs for more details. You can use this variable to dynamically redirect depending on the environment. You should also set the value of the environment variable called NEXT_PUBLIC_SITE_URL, this should be set to your site URL in production environment to ensure that redirects function correctly.
_18const getURL = () => {_18 let url =_18 process?.env?.NEXT_PUBLIC_SITE_URL ?? // Set this to your site URL in production env._18 process?.env?.NEXT_PUBLIC_VERCEL_URL ?? // Automatically set by Vercel._18 'http://localhost:3000/'_18 // Make sure to include `https://` when not localhost._18 url = url.startsWith('http') ? url : `https://${url}`_18 // Make sure to include a trailing `/`._18 url = url.endsWith('/') ? url : `${url}/`_18 return url_18}_18_18const { data, error } = await supabase.auth.signInWithOAuth({_18 provider: 'github',_18 options: {_18 redirectTo: getURL(),_18 },_18})
Email templates when using redirectTo
When using a redirectTo option, you may need to replace the {{ .SiteURL }} with {{ .RedirectTo }} in your email templates. See the Email Templates guide for more information.
For example, change the following:
_10<!-- Old -->_10<a href="{{ .SiteURL }}/auth/confirm?token_hash={{ .TokenHash }}&type=signup">Confirm your mail</a>_10_10<!-- New -->_10<a href="{{ .RedirectTo }}/auth/confirm?token_hash={{ .TokenHash }}&type=signup"_10 >Confirm your mail</a_10>
Mobile deep linking URIs
For mobile applications you can use deep linking URIs. For example, for your SITE_URL you can specify something like com.supabase://login-callback/ and for additional redirect URLs something like com.supabase.staging://login-callback/ if needed.
Read more about deep linking and find code examples for different frameworks here.
Error Handling
When authentication fails, the user will still be redirected to the redirect URL provided. However, the error details will be returned as query fragments in the URL. You can parse these query fragments and show a custom error message to the user. For example:
_10const params = new URLSearchParams(window.location.hash.slice())_10_10if (params.get('error_code').startsWith('4')) {_10 // show error message if error is a 4xx error_10 window.alert(params.get('error_description'))_10}