Redirect URLs

Redirect URL validation is a critical part of securing your application during Trinsic redirection flows. This guide explains how our platform validates redirect URLs, including support for wildcards, query parameters, and best practices for defining allowed redirects.

What Is a Redirect URL?

A redirect URL is the destination your application sends users to after completing a redirect-based verification. To prevent abuse, applications must maintain a list of trusted redirect URLs and validate incoming requests against this list. You can manage this list on your Trinsic Dashboard.

Rules for Valid Redirect URLs

To be considered valid, a redirect URL must:

Be a fully qualified URI (e.g., https://example.com/callback)
Include a valid scheme (e.g., https://, deeplink-scheme://, etc.)
Not be blank or contain only wildcards
Optionally use wildcards in approved ways (see below)

Wildcard Support

You can use wildcards in your allowlist to support dynamic subdomains and flexible path segments. Wildcards are only supported in two contexts:

Subdomain Wildcards

Use *.example.com to allow any subdomain under a base domain.

Example

Allowed Redirect	Matches?
`https://*.example.com`	✅ `https://login.example.com` ✅ `https://abc.def.example.com` ❌ `https://example.com`

The wildcard must be the first part of the domain (e.g., *.example.com)
The scheme (https://) is still required
It will not match the root domain (use example.com explicitly if needed)

Path Segment Wildcards

Use * within the path to allow variable path segments.

Example

Allowed Redirect	Matches?
`https://example.com/*`	✅ `https://example.com/123` ✅ `https://example.com/callback`
`https://example.com/*/callback`	✅`https://example.com/path/callback` ❌ `https://example.com/path/path2/callback` ❌ `https://example.com/callback`
`https://.example.com//callback?token=`	✅ `https://auth.example.com/123/callback?token=abc`

A * matches a single path segment
Use multiple wildcards to match deeper paths
Query parameters are supported (see below)

Query Parameter Matching

Redirect URLs can optionally include query parameters in the allowlist.

If no queries are present in the rule, all queries passed will match
If there are queries in the rule, the incoming URL must include at least the same keys
Values are not validated (they can differ)

Example

Allowed Redirect	Matches?
`https://example.com/callback`	✅`https://example.com/callback?state=123`
`https://example.com/callback?state=`	❌`https://example.com/callback`
`https://example.com/callback?state=&x=`	✅`https://example.com/callback?state=1&x=2`

Tips for Defining Secure Redirect URLs

Always use HTTPS in production environments.
Avoid allowing overly broad wildcards, such as * alone — they are not accepted.
Be as specific as possible in your allowlist.
When using subdomain wildcards, verify the base domain is under your control.
Prefer exact matches for sensitive flows

Need Help?

If you're unsure how to configure your redirect URLs or want guidance on secure patterns for your application, contact your account representative or reach out to Trinsic Support.