If OAuth or email confirmation redirects fail, configure Supabase as follows.
Go to Authentication → URL Configuration
https://your-app.netlify.app). NOT localhost for production.http://localhost:3000/** (local dev)https://YOUR_PROD_DOMAIN/** (production)https://**--YOUR_NETLIFY_SITE_NAME.netlify.app/** (deploy previews)The redirectTo URL sent to Supabase must match the allowlist exactly. Otherwise Supabase ignores it or defaults to Site URL.
Set NEXT_PUBLIC_APP_URL (or NEXT_PUBLIC_SITE_URL) to your canonical production HTTPS origin; Netlify production builds require it. Deploy previews and branch deploys use the preview host from request headers for redirectTo so it matches the Supabase preview wildcard.
Full details: docs/RUNBOOK.md in the repository.