Invalid redirect url (4700) when whitelisting root domain on production sites

I have an app( called Xplan) that uses OAuth authorization and it is deployed to multiple servers. Each instance of the app has its own subdomain.

There are over a thousand such subdomains, and it is not a static list. When a user on a site tries to authorize, the redirect url will be specific to that site, something like “”. Adding just “” to the whitelist was enough for OAuth redirection, and it works for our test sites. But today I tried to test on our production sites I’m getting “invalid redirect url” when a user tries to authorize the app unless I give the full domain in the whitelist. That means adding each subdomain separately which is not feasible.

We raised this issue before for test sites and it has been fixed, but now it happens again for our production sites.

Could you help with this issue? This is impacting our app submission and release.



Thanks for reaching out, and happy to help take a closer look at this for you.

Is it possible to share a screenshot of your production default Redirect URL and Whitelist URLs with me here? In the meantime, could you also ensure that you have the “” as your production redirect URL in your app in the marketplace?

If you have a chance, please also check out this thread:


Hi, will,
Thanks for the information, yes, we are following what you mentioned here. But even we did not change anything, we now don’t have the 4700 error. Thanks for your help.


Ah, I see! I’m glad to hear it’s working now. :slight_smile:


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.