In OAuth, after authentication completes on the provider side (Google, Apple, GitHub), the provider redirects the user back to YOUR application with an authorization code in the URL. Your code exchanges the code for an access token. The redirect target is the OAuth callback URL — also called redirect URI.
The URL must match exactly what you registered in the provider's dashboard: scheme, host, port, path, even trailing slash. Mismatch = the provider refuses the redirect to prevent attackers from swapping in their own callback.
Most providers require HTTPS on callback URLs. Apple Sign-In rejects http://localhost outright; Google allows it as a special case but only for non-iOS clients. The safe pattern in 2026 is to tunnel your local dev server through lrok so it has a real cert at a real public hostname.