How to use a wildcard callback_url with the new callback rules



Per the recent changes to oauth requiring that the callback urls be whitelisted, our application has now broken because we were overwriting the callback url.

The problem is that the callback url is dynamic in our case - the callback url will be of the format https://{customersubdomain} - ie, the subdomain part is dynamic and varies from customer to customer.

It’s not really feasible to whitelist every single customer subdomain, nor is it feasible to add new whitelisted urls as new customers come on board. So is it possible to add a wildcard setting to the whitelisted callback urls? Or if not, then what am I doing wrong here? How should we be approaching this issue?

Thanks for your help.


The same issue here. We need a solution please.


An approach you could use is to have a single domain that handles authenticating with Twitter and all of your sub apps delegate authentication to the authen site.

So you would register this as your callback URL in the Twitter app settings.

And then when you get a request_token you would use this as your callback URL.{customersubdomain}


Thanks Abraham. I was hoping not to have to do something like that (as it’s yet another site to remember to deploy etc etc etc), but seems that’s the way it will need to go.

Thanks for your help.