OAuth testing on localhost results in "redirect_uri must use https"



We are trying to test OAuth integration locally, and getting “The redirect_uri must use https for security reasons.” (http://import2.d.pr/dLph/19NUyAOc). Is there a way to develop OAuth integrations locally without setting up the HTTPS web server?


Hubspot Oauth 2.0 Localhost

We have the same issue too - this worked last week using http://localhost:..., but I think a change was silently introduced so that this no longer works. Problem is that I don’t know if we’ll be able to use https here - does anyone know of a workaround?


Guys I’m getting the same issue… How can we develop locally? Do we need to setup an ssl certificate for localhost?



Yes, or you can use any site as a redirect — ex. https://www.hubspot.com


Thanks for the reply. How would work with the OAuth 2 flow? E,g. the user authorizes our app to use their HS portal. I need to redirect to our app so that I can grab the code parameter from the url, that’s how I can the authorization was successful. What are your thoughts on this? :slight_smile:


@Tamas_Pal I was referring to your question about how to develop locally and for testing. When you push it live you will need to have an encrypted web server to host your front-end app. While you are building out your tool I would use https://www.hubspot.com and then when you go live you will need to set up your server for production.


This is quite annoying, many OAuth implementations allow non-https redirect URLs for localhost/ Using a random https URL as redirect doesn’t really work because then we have to manually grab the parameters to decode them



You can always create a self-signed certificate for testing purposes. That way you won’t have to manually grab the parameters to decode.


I guess you can go for the ngrok please check the document, you can use the localhost in https using tunneling.


May I add another “me too” for bringing back the http exception for localhost? My dev server doesn’t use/need SSL, and there are literally hundreds of OAuth2 providers I’ve used that allow non-SSL for localhost redirects.


I also find this absurd. Google and many other OAuth2 providers allow http:// for localhost. Developers need this to simplify robust solutions with automated test suites etc.


Hi all,

This was recently updated; the OAuth2 redirect URI can now be served over http if the host is localhost. See the details here: