Each ephemeral branch gets a unique project ref, so each branch has a unique OAuth callback URL. OAuth providers require exact-match registration for callback URIs. The OAuth 2.1 spec and RFC 9700 require exact string matching on redirect URIs, so no provider supports wildcards here. In practice this means every ephemeral branch requires manually registering a new callback URL at every OAuth provider, then removing it on branch deletion. For any project using social login, this makes ephemeral branching unusable. The Hop 2 redirect (Supabase > your app) already supports wildcards. The problem is Hop 1 (provider > Supabase), where the callback domain changes per branch. Requested solution: Route branch OAuth callbacks through the parent project's stable callback URL, using the state parameter to identify and route to the correct branch's GoTrue instance. One registered URL, every branch works, no provider-side config needed.
The user highlights a challenge with ephemeral branches in Supabase, where each branch requires a unique OAuth callback URL due to exact-match requirements by OAuth providers. This necessitates manual registration and removal of URLs for each branch, making social login impractical. The user suggests routing branch OAuth callbacks through a stable parent project URL to simplify this process.