ERR-115/stack trace

ERR-115

Replit app auth not working — fix login and session problems

Replit app auth not working — fix login and session problems

Last updated 17 April 2026 · 7 min read · By Hyder Shah

Emergency triage — $299 Free diagnostic

Direct answer

Replit Agent will wire up authentication but typically misses production requirements: OAuth redirect URLs must point to your production domain, session storage must be configured for the production environment, and database-level access control (RLS) is typically not implemented. Four fixes cover the common cases.

Quick fix for Replit app auth not working —

Start here

Fix 1 — Update OAuth redirect URLs for production

In your OAuth provider (Google, GitHub, etc.) or Supabase Auth settings: add your production URL to the list of allowed redirect URLs. Replit’s preview URL (*.replit.app or *.repl.co) needs to be listed if you’re using Replit hosting. For custom domain: add that too. The callback path is usually /auth/callback or /api/auth/callback.

Deeper fixes when the quick fix fails

02
Fix 2 — Configure session secrets for production
Check your session middleware configuration. The SESSION_SECRETmust be set as an environment variable (not hardcoded). In Replit: Secrets tab → addSESSION_SECRET with a random 32-character hex string.
```
node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"
```
Generate one with the command above and paste the output into Replit Secrets.
03
Fix 3 — Fix database access control
Replit apps often use Replit DB (key-value) or a Postgres add-on without row-level access control. Ensure your auth middleware checks that the authenticated user’s ID matches the record owner before returning data. If using Supabase, enable RLS on every table and add policies with auth.uid() = user_id. If using raw Postgres, add a WHERE user_id = $1 clause to every query and pass the session user ID.
04
Fix 4 — Test in an incognito window on the live URL
Always test auth flows on the production/live URL in an incognito window. Cookies, session storage, and OAuth callbacks all behave differently on the live URL vs. the Replit editor. Sign up, confirm email, sign in, reload the page (session must persist), sign out.

After the fixes

Open your production URL in two separate incognito windows. Sign up as User A in one and User B in the other. User A must never see User B’s records, and vice versa. If Replit Agent wrote your OAuth integration and you’ve never audited the callback URL list, assume there’s at least one stale entry to remove.

Why AI-built apps hit Replit app auth not working —

Replit’s preview environment injects configuration automatically. When you deploy or share a Replit URL, the auth configuration that worked in the editor may not match the production environment.

The three common gaps: OAuth providers whitelist only the editor URL (not *.replit.app), session secrets are hardcoded in the preview but missing in Secrets, and the database has no row-level access control so any authenticated user can read any row.

“Auth works perfectly in Replit but breaks when I try to deploy it.”

Reddit — r/Replit

Diagnose Replit app auth not working — by failure mode

Match your specific symptom to the layer that’s broken before editing code.

Symptom	Cause	Fix
OAuth button errors 'redirect_uri_mismatch'	Production URL not whitelisted in OAuth app	Fix 1
Login succeeds then kicks user back to /login	SESSION_SECRET missing in Replit Secrets	Fix 2
User A can see User B's data after login	No row-level access control in database	Fix 3
Works in editor but fails on replit.app URL	Cookies / callbacks behave differently in production	Fix 4

Related errors we fix

Still stuck with Replit app auth not working —?

Emergency triage · $299 · 48h turnaround

We restore service and write the root-cause report.

If auth breaks in production and you’ve burned hours in the editor trying to reproduce it, we fix the full chain:

→Your Replit app login works in preview but fails in production
→OAuth callbacks error with 'redirect_uri_mismatch'
→Users say they're being logged out on every page refresh
→You're not sure if your database has proper access control

start the triage →

Free Rescue Diagnostic

30-min call, we tell you what's broken

Emergency Triage

$299 · 48h

Auth end-to-end, verified with a 2-account test

Auth, Database & Integrations

From $799

Auth hardened + RLS + OAuth + email wired

Deployment & Launch

From $1,999

Production-ready: auth, deploy, monitoring, SSL

Replit app auth not working — questions

Why does my Replit auth work in the editor but break after deploy?+

Replit's editor injects configuration automatically — env vars, cookie domains, CORS origins. When you deploy, that auto-configuration disappears. You have to explicitly set every environment variable in Replit Secrets and whitelist every production URL in your OAuth provider's redirect URL list.

What environment variables does my Replit app need for auth?+

At minimum: SESSION_SECRET (32-char random hex), DATABASE_URL, and any OAuth client IDs and secrets (GOOGLE_CLIENT_ID, GOOGLE_CLIENT_SECRET, etc.). If using Supabase: NEXT_PUBLIC_SUPABASE_URL, NEXT_PUBLIC_SUPABASE_ANON_KEY, and SUPABASE_SERVICE_ROLE_KEY for server-side operations.

How do I add my production URL to OAuth provider settings?+

Google Cloud Console → Credentials → OAuth 2.0 Client IDs → your client → Authorized redirect URIs. Add both your *.replit.app URL and your custom domain (if any). The callback path must match your app's route exactly — /auth/callback and /api/auth/callback are different.

My session cookies aren't persisting across page reloads. What's wrong?+

Three common causes: (1) SESSION_SECRET missing or different between requests, (2) cookie's 'secure' flag set in development where HTTPS isn't available, (3) cookie's 'sameSite' set to 'strict' blocking OAuth callbacks. For production on Replit, use 'sameSite: lax' and 'secure: true'.

Should I use Replit DB, Postgres, or Supabase for auth storage?+

For anything beyond a toy project, use Supabase or another managed Postgres. Replit DB is key-value only and has no row-level access control — one broken middleware lets any user read any other user's data. Supabase gives you RLS, managed auth, and an admin dashboard for free.

Can you fix this for me?+

Yes. Our $299 Emergency Triage covers all four fixes above plus a two-account production test. 48-hour turnaround. For ongoing production-readiness (monitoring, backups, CI/CD), our $1,999 Deployment & Launch package covers it.

Next step

Ship the fix. Keep the fix.

Emergency Triage restores service in 48 hours. Break the Fix Loop rebuilds CI so this error cannot ship again.

Emergency triage — $299 Free diagnostic

About the author

Hyder Shah leads Afterbuild Labs, shipping production rescues for apps built in Lovable, Bolt.new, Cursor, Replit, v0, and Base44. our rescue methodology.

Replit app auth not working — experts

If this problem keeps coming back, you probably need ongoing expertise in the underlying stack.