Developer Guide

Written by Casper Fenger Jensen • Updated 2026-04-14

How to Use OAuth Callbacks With Localhost HTTPS

Handle OAuth and SSO callback flows in local development with a real HTTPS URL instead of trying to fit providers around plain localhost.

OAuth providers often expect secure redirect URLs, and even when localhost is technically allowed, realistic end-to-end testing usually goes better with a public HTTPS origin. Bore gives the local app that origin without changing the application stack.

oauth callback localhost httpssso local development httpsauth redirect localhost ssl

Install Bore

curl -sL https://bore.dk/install.sh | bash

Good for OAuth and SSO providers

Stable callback URLs reduce setup churn

Works with app and API split architectures

How It Works

Simple local workflow, real HTTPS externally

Step 1

Run the local app and callback handler

Start the local frontend or backend that handles the auth return flow.

Step 2

Expose the callback host with Bore

Use Bore to create a secure public URL for the callback path.

bore up 3000

Step 3

Register the HTTPS redirect URL

Put the Bore hostname and callback path into the provider dashboard.

Step 4

Keep the namespace reserved

Reuse the same callback host when you restart development so provider settings stay valid.

Where Bore Differs

Bore can keep HTTPS on reserved child hosts too

Most tunnel workflows stop at one public hostname. Bore can keep your main app on one HTTPS namespace and reserve a child host like `api.<namespace>.bore.dk` for a second local service.

bore host add <namespace> api
bore host set-port <namespace> api 3001

That matters when frontend and API origins need to stay separate in local development, or when webhook, auth, and admin traffic should not all share one hostname.

FAQ

Common questions

Why use HTTPS for OAuth callbacks in local dev?

It better matches production assumptions, works cleanly with providers that expect secure redirects, and avoids callback URL churn when the host stays stable.

Can Bore help with frontend and API callback splits?

Yes. Bore can keep the app on one hostname and move the API or auth handler to a child host on another local port.

Is this only useful for browser apps?

No. It also helps with server-rendered apps, backend auth handlers, and mobile or desktop auth testing workflows.

Related Guides

More HTTPS development guides

View all guides

How to Test Secure Cookies and Auth Flows in Local Development

Use a real HTTPS origin in development for secure cookies, browser auth behavior, embedded flows, and feature checks that do not behave the same way on plain HTTP localhost.

How to Test Webhooks on Localhost Over HTTPS

Receive webhooks on a local app over HTTPS without opening inbound firewall rules or keeping a manually configured reverse proxy around for development.

How to Expose a Local API Over HTTPS

Put a local API on a real HTTPS URL for browser clients, mobile apps, webhook callbacks, and partner integrations without adding local TLS complexity.

How to Open Localhost on HTTPS From Your Phone or Another Device

Test a local app or API on a phone, tablet, or another laptop over HTTPS without opening your whole machine to the internet or sharing raw LAN URLs.