Sunset: localhost redirect URIs for dynamically registered OAuth apps are no longer supported
As of 1 August 2026, Teamwork no longer accepts localhost addresses (localhost, 127.0.0.1, ::1) as OAuth redirect URIs for dynamically registered (DCR) apps. This affects both new registrations and existing apps.
New / updated registrations — A Dynamic Client Registration request that includes a
localhostredirect URI is rejected; the redirect URI is reported as deprecated and not accepted.Token exchange for existing apps — If a DCR app that previously registered a
localhostredirect URI attempts to exchange an authorization code, the token endpoint rejects the request with an OAuth error:{ "error": "invalid_grant", "error_description": "localhost redirect URIs are no longer supported" }This applies even to apps registered before the sunset date — the redirect URI is validated again at token exchange.
Update your app registration to use a non-
localhostHTTPS redirect URI that you control, or a private-use URI scheme for native apps. See the migration steps in the deprecation notice.Re-run the authorization flow with the new redirect URI.
For local development, route OAuth callbacks through a public HTTPS tunnel instead of
localhost.
localhost redirect URIs combined with open dynamic client registration are a known phishing/token-interception vector, so they are being removed in favour of redirect URIs that are bound to a host you control.