Oauth error invalid_request: The redirect_uri and application url must have matching hosts
Topic summary
Main issue: An OAuth installation error occurs when the redirect_uri’s host does not match the app’s Application URL host configured in Shopify Partners.
Key guidance: Use the authorize URL format https://{storeDomain}/admin/oauth/authorize with client_id, scope, redirect_uri, and state. The redirect_uri must share the same host (domain and port) as the Application URL (e.g., if the app URL is http://localhost:4200/user/auth, the redirect_uri must be on http://localhost:4200).
Clarification: “Host” refers to the domain (and port) portion of the URL. OAuth (authorization flow) requires the callback (redirect_uri) to align with the registered app host for security.
Custom private apps: They do not need the OAuth authorization endpoint. Instead, they use an authentication token generated in Shopify and can request the access token directly, bypassing the OAuth “dance.”
Outcome: The developer with a custom app resolved the issue by requesting the access token without OAuth. The guidance remains for public apps to ensure host matching.
Status: Resolved for the custom app scenario; no outstanding questions identified.
Note: An image attachment was posted but not relevant to the resolution.
Hi @ksumandeepkaur ,
Probably you have different hosts on your oauth url
format should be as following:
https://{storeDomain}/admin/oauth/authorize?client_id={client_id}&scope={scope}&redirect_uri={redirect_uri}&state={state}
where redirect_uri has same host as your app host provided on shopify partners app set up.
Example if you run your local env and your application url on shopify partners applications is:
http://localhost:4200/user/auth
this means you need to provide redirect url with http://localhost:4200 host, otherwise it will not allow you to authorize during application installation.
@SIM How do I manage the application URL for a custom private application? I don’t see this anywhere. I’m running in localhost:9000 and I’m of course pointing to the live store which has the fully qualified myshopify.com URL. But the requesting origin and redirect origin are the same (eg: http://localhost:9000/testShopify and redirect http://localhost:9000/shopifyAuth )
@gwhitworth , why you want to use Authentication endpoint for custom private app? Such apps has Authentication token which is being generated on shopify and you can already use shopify resources using this token.
1 Like
@Simon thanks, I ended up tracking this down that I request the access-token without this dance due to the custom app and have since resolved my issue 
test