This issue is related to using a custom IP address locally with Ory, specifically when using 127.0.0.1:3000. The error message you're encountering suggests a mismatch between the redirect URI used in the authorization request and the one used in the token exchange request. This is a common problem when working with OAuth2 flows locally. To address this issue, consider the following points: 1. Consistent use of localhost or 127.0.0.1: As mentioned in the [Getting Started guide](https://www.ory.sh/docs/getting-started/local-development#local-development), it's important to use either

localhost

or

127.0.0.1

consistently, but not both interchangeably. The guide states: "Your local machine is usually available on both

localhost

and

127.0.0.1

. For the browser these two domains are different domains. Cookies set on

localhost

will not be sent in requests to

127.0.0.1

and vice versa. If you encounter cookie issues, make sure that all of your requests are sent to

localhost

and not

127.0.0.1

." 2. Correct configuration of redirect URIs: Ensure that the redirect URI you're using in your OAuth2 client configuration matches exactly with the URI you're using in your requests. If you're using 127.0.0.1:3000, make sure this exact URI is listed in the allowed redirect URIs for your OAuth2 client. 3. Use of Ory Tunnel: Consider using the Ory Tunnel for local development. As described in the [Getting Started guide](https://www.ory.sh/docs/getting-started/local-development#local-development), you can use the Ory CLI Tunnel to expose Ory APIs on your localhost domain:

ory tunnel --dev --project $PROJECT_SLUG <http://localhost:3000>

This will open port 4000 on your local machine, and you should then use

<http://localhost:4000>

for your Ory API calls. 4. Check OAuth2 client configuration: Review your OAuth2 client configuration to ensure the redirect URIs are correctly set. You can use the Ory CLI to check and update the configuration if needed, as mentioned in the [Run your own OAuth2 Server guide](https://www.ory.sh/run-oauth2-server-open-source-api-security/#perform-oauth2-authorization-code-flow-and-openid-connect). If you continue to face issues after applying these suggestions, you may need to review your specific OAuth2 flow implementation and ensure all parameters are correctly set in both the authorization request and the token exchange request.

Based on your statement that the redirect URLs are set properly, it seems you've already checked and confirmed that aspect of your configuration. However, the issue you're experiencing might still be related to how these URLs are being used or interpreted in your OAuth2 flow. Let's explore some other potential causes and solutions: 1. Consistent URL usage: Even if the redirect URLs are set correctly, it's crucial to use them consistently throughout your OAuth2 flow. As mentioned in the [Social sign-in troubleshooting guide](https://www.ory.sh/docs/troubleshooting/troubleshooting-social-sign-in), ensure that the

redirect_uri

query parameter in the URL matches exactly with the authorized redirect URI added to the OAuth2 client configuration. 2. Check for URL encoding issues: Sometimes, issues can arise due to improper URL encoding. Make sure that your redirect URIs are properly encoded when used in requests. 3. Verify OAuth2 client configuration: Double-check your OAuth2 client configuration using the Ory CLI. As mentioned in the [Hydra FAQ](https://www.ory.sh/docs/hydra/faq), you can use the following command to view your client configuration:

ory get oauth2-client {client.id}

This will show you the entire client configuration, including the authorized redirect URIs. 4. Check for cookie issues: As mentioned in the [Local development guide](https://www.ory.sh/docs/getting-started/local-development#local-development), cookie handling can be tricky when using localhost. Make sure you're consistently using either

localhost

or

127.0.0.1

, but not both interchangeably. 5. Use Ory Tunnel for local development: If you're not already doing so, consider using Ory Tunnel for local development. The [Getting Started guide](https://www.ory.sh/docs/getting-started/integrate-auth/react#run-ory-apis-on-localhost) explains how to set this up:

npx @ory/cli tunnel --dev <http://localhost:3000>

This will expose Ory APIs on

<http://localhost:4000>

, which can help avoid some common local development issues. 6. Check for CSRF issues: If you're still experiencing problems, it could be related to CSRF protection. The [CSRF troubleshooting guide](https://www.ory.sh/docs/troubleshooting/csrf) might be helpful in this case. If you've already verified all of these points and are still encountering issues, it might be helpful to review the exact error message you're receiving and the specific steps in your OAuth2 flow where the error occurs. This could provide more clues about what might be going wrong.