# How to register a callback endpoint

In the authentication flow for a user, a callback endpoint is the endpoint that Scalekit remembers about your application, trusts it, and sends a authentication grant (code). It further expects your application to exchange the code for a user token and user profile.

This needs to be pre-registered in the Scalekit dashboard.

Go to **Dashboard** > **Authentication** > **Redirect URLS** > **Allowed Callback URLs** and add the callback endpoint.

![](@/assets/docs/allowed-callback-url/allowed-callback-url.png)

Your redirect URIs must meet specific requirements that vary between development and production environments:

| Requirement | Development | Production |
| ----------- | ----------- | ---------- |
| Supported schemes | <span class="icon-text">`http` `https` `{scheme}`</span> | <span class="icon-text">`https` `{scheme}`</span> |
| Localhost support | <span class="icon-text">Allowed</span> | <span class="icon-text">Not allowed</span> |
| Wildcard domains | <span class="icon-text">Allowed</span> | <span class="icon-text">Not allowed</span> |
| URI length limit | 256 characters | 256 characters |
| Query parameters | <span class="icon-text">Not allowed</span> | <span class="icon-text">Not allowed</span> |
| URL fragments | <span class="icon-text">Not allowed</span> | <span class="icon-text">Not allowed</span> |

Wildcards can simplify testing in development environments, but they must follow specific patterns:

| Validation rule                                                                     | Examples                                                                                                                                                                                                          |
| ----------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Wildcards cannot be used as root-level domains                          | <div style="display: inline-flex; align-items: center; gap: 0.5rem;">`https://*.com`</div> <div style="display: inline-flex; align-items: center; gap: 0.5rem;">`https://*.acmecorp.com`</div> <div style="display: inline-flex; align-items: center; gap: 0.5rem;">`https://auth-*.acmecorp.com`</div> |
| Only one wildcard character is allowed per URI                                 | <div style="display: inline-flex; align-items: center; gap: 0.5rem;">`https://*.*.acmecorp.com`</div> <div style="display: inline-flex; align-items: center; gap: 0.5rem;">`https://*.acmecorp.com`</div>                                                                            |
| Wildcards must be in the hostname component only     | <div style="display: inline-flex; align-items: center; gap: 0.5rem;">`https://acmecorp.*.com`</div> <div style="display: inline-flex; align-items: center; gap: 0.5rem;">`https://*.acmecorp.com`</div>                                                                  |
| Wildcards must be in the outermost subdomain | <div style="display: inline-flex; align-items: center; gap: 0.5rem;">`https://auth.*.acmecorp.com`</div> <div style="display: inline-flex; align-items: center; gap: 0.5rem;">`https://*.auth.acmecorp.com`</div>                                                        |
**Caution:** According to the <a href="https://tools.ietf.org/html/rfc6749#section-3.1.2" target="_blank">OAuth 2.0 specification</a>, redirect URIs must be absolute URIs. For development convenience, Scalekit relaxes this restriction slightly by allowing wildcards in development environments.