By AutomateLab Editorial in No-Code - Updated

How to fix n8n OAuth callback URL returning 401

Three causes of the n8n OAuth callback 401 and the exact fixes: WEBHOOK_URL mismatch, stale credentials after a domain change, and X (Twitter) OAuth1/OAuth2 endpoint confusion.

How to fix n8n OAuth callback URL returning 401 - n8n cluster feature image
Fix n8n OAuth callback 401 by setting WEBHOOK_URL and registering the exact callback URL in your OAuth app.

TL;DR: n8n OAuth callback 401 means the redirect URI in your OAuth app doesn't match what n8n generates; copy the exact URL from n8n's credential screen and register it in your OAuth provider's allowed redirect URIs.

The 401 blocks every workflow that uses the affected credential - Google, X (Twitter), Zoho, HubSpot, and any other OAuth-protected service. The error appears either on the credential test or the first workflow run. The underlying cause is almost always a redirect URI mismatch, not an expired token. The Automation Error Index tracks this under the n8n credentials category.

What causes the n8n OAuth callback URL to return 401?

n8n generates a callback URL of the form https://<your-n8n-host>/rest/oauth2-credential/callback. When you authenticate, your OAuth provider redirects the user to this URL with an authorization code. If the URL n8n presents during the OAuth flow doesn't exactly match the one registered in your OAuth app, the provider rejects the exchange and returns 401.

Three things cause the mismatch:

  • Wrong base URL in n8n's environment. If N8N_HOST, WEBHOOK_URL, or N8N_PROTOCOL are set to localhost or an internal IP, n8n constructs the callback using that address - even when requests arrive from the public internet. The provider sees a URL starting with http://localhost and refuses it.
  • Stale credential after a URL change. n8n locks the OAuth redirect URL inside the credential at creation time. If you later change your domain, switch from HTTP to HTTPS, or move from port 5678 to port 443, the old URL is baked into the credential. There is no edit button - the old redirect URI stays locked until you delete and recreate the credential.
  • Redirect URI not registered in the OAuth app. Each OAuth provider (Google Cloud Console, X Developer Portal, Zoho API Console) requires you to explicitly allowlist every redirect URI. If you never added n8n's callback URL, the provider rejects all redirect attempts regardless of what n8n sends.
OAuth callback flow diagram: step 3 URI check causes 401 when redirect URL is not in provider allowed list, otherwise redirects back with auth code
The 401 fires at step 3 when the OAuth provider checks if n8n's callback URL is in its allowlist - an exact match is required.

How do you fix the n8n OAuth 401 from a redirect URI mismatch?

  1. Open the n8n credential. In n8n, go to Credentials, find the affected credential, and open it. n8n shows the exact OAuth Redirect URL it will use - copy it verbatim.
  2. Add that URL to your OAuth app. In your provider's developer console, open the OAuth app and add the copied URL to the list of authorized redirect URIs. For Google: Google Cloud Console → APIs & Services → OAuth 2.0 Client IDs → Authorized redirect URIs. For X: Developer Portal → App → User authentication settings → Callback URI.
  3. Save and re-test the credential in n8n. Use the Connect button on the credential screen. If the OAuth flow completes, the 401 is resolved.

How do you fix the OAuth 401 when the URL was correct but your n8n host changed?

There is no way to update the redirect URL in an existing n8n credential. Once created, the URL is frozen in the credential's stored state.

To fix it:

  1. First, correct your n8n environment variables. Set N8N_HOST to your public domain (e.g. n8n.example.com), N8N_PROTOCOL=https, and WEBHOOK_URL=https://n8n.example.com/ in your docker-compose.yml or .env file. Restart n8n.
  2. Delete the old credential entirely.
  3. Create a new credential of the same type. n8n generates a fresh callback URL using the new N8N_HOST and N8N_PROTOCOL values.
  4. Update your OAuth app's authorized redirect URIs with the new URL.
  5. Reconnect and test the credential.
Table of n8n env vars: N8N_HOST sets host, N8N_PROTOCOL sets http vs https, WEBHOOK_URL overrides both and is the primary control
WEBHOOK_URL overrides N8N_HOST and N8N_PROTOCOL - set it to your full public URL with trailing slash and recreate any existing credentials afterward.

Note: any workflows that referenced the deleted credential will show a "credential not found" error. Re-link them to the new credential from the workflow's credential selector.

How do you fix the n8n OAuth 401 on X (Twitter) specifically?

X's OAuth implementation has caused a persistent 401 for n8n users because X requires http://localhost:5678 as the callback for local dev, but also requires HTTPS for production. The GitHub issue #12114 confirmed this is a redirect URI registration problem, not a bug in n8n's OAuth library.

The fix: in your X Developer Portal app settings, add both http://localhost:5678/rest/oauth2-credential/callback (for local) and https://<your-domain>/rest/oauth2-credential/callback (for production) as allowed callback URIs. X accepts multiple URIs. Use the one that matches your current n8n instance's URL.

For a broader look at n8n setup and environment configuration, see self-hosting n8n on a VPS - covers the env vars, nginx proxy, and HTTPS setup that prevent callback URL mismatches from the start. If you're seeing other n8n authentication errors, the n8n ECONNREFUSED fix covers network-level credential failures.

FAQ

Why does n8n OAuth return 401 instead of 400 on a redirect URI mismatch?

Some providers return 401 Unauthorized on a mismatch (treating the request as an unrecognized client), while others return 400 Bad Request. n8n surfaces whatever status the provider sends. For redirect URI mismatches specifically, both 400 and 401 are common depending on the provider; the fix is the same for both.

How do I find the OAuth callback URL n8n is generating?

Open the credential in n8n. Before clicking the Connect button, n8n displays the full OAuth Redirect URL in the credential form - it looks like https://<host>/rest/oauth2-credential/callback. Copy this exact string and register it in your OAuth app.

Can I edit the redirect URL inside an existing n8n credential?

No. n8n locks the redirect URL when the credential is created, based on the environment's N8N_HOST and N8N_PROTOCOL values at that time. To change it, delete the credential and recreate it after updating those environment variables.

What environment variables control the OAuth callback URL in n8n?

Three variables determine the callback URL: N8N_HOST (your public domain), N8N_PROTOCOL (http or https), and WEBHOOK_URL (the full public base URL, including trailing slash). If WEBHOOK_URL is set, it takes precedence over N8N_HOST and N8N_PROTOCOL for constructing callback URLs.

Does this fix apply to OAuth 1.0 services in n8n too?

Yes. OAuth 1.0 (used by older X/Twitter integrations) also relies on a callback URL that must match exactly. The OAuth 1.0 callback URL in n8n follows the same pattern: <WEBHOOK_URL>/rest/oauth1-credential/callback. Register that URL in the OAuth 1.0 app's allowed callback list.

#how-to#troubleshooting#n8n