From the FAQ:
What’s a placeholder URL? How do I set my callback URL?
In OAuth 1.0a, you’re required to send an explicit oauth_callback value on every request to POST oauth/request_token, regardless of any pre-registered callback you may have associated with your application or if you’re going to be performing out-of-band OAuth (for which you’d provide an oauth_callback=oob value).
When you create or edit your application on dev.twitter.com, you need to choose which kind of OAuth authentication you’ll be using: standard callback-based OAuth, out-of-band mode OAuth (also known as “PIN-code OAuth” & “OOB OAuth”), or xAuth.
If you’re exclusively using out-of-band OAuth or xAuth, you want to leave the “Callback URL” field empty. By doing so, your application will not allow for callback-based OAuth to be performed.
If you’ll be using callback-based OAuth, you want to provide the “Callback URL” field with a fully qualified “placeholder” URL. This URL does not have to be the actual oauth_callback value you’ll send on oauth/request_token, but it does need to represent a HTTP or HTTPS-based URL with a TLD we recognize. If you know you’ll be performing callback-based OAuth, consider just providing a URL to your home page.