There are 2 different options for registering redirect URIs with your client credentials. Please note that all redirect URIs for your production credentials need to be https.
Register all redirect URIs fully
This is what is encouraged on the registration form and is what most third parties do. This is the most secure option.
Register just the host name
If the client app is registered with a redirect uri that is just the host name, then any redirect uri at that host can be used. So, for example if the following redirect uri is registered: https://thirdparty.com
then all of the following redirect_uris will work:
- https://thirdparty.com/oauth/callback1
- https://thirdparty.com/callback2
- https://thirdparty.com/anything-else-as-long-as-the-host-is-the-same
However, https://anythingelse.thirdparty.com will not work. You MUST register subdomains as separate URIs.
If you are using the member API and require any changes to your redirect URIs then please contact our Engagement Team.
Please note that redirects are optional data as part of the OAuth code exchange. If a redirect URI is included then it has to exactly match the one that was used in the authorization URL. For more information please see our other FAQs in this category.