Summary
Apple Sign In can fail on macOS when the production bundle is on the beta update channel, because backend routing sends auth to https://api.omiapi.com/. Apple then rejects the web redirect URL with:
invalid_request
Invalid web redirect url.
Switching the local channel back to stable makes login work again.
Observed
The macOS app opened an auth URL like:
https://api.omiapi.com/v1/auth/authorize?provider=apple&redirect_uri=omi-computer://auth/callback&state=...%7Ccom.omi.computer-macos
Apple returned:
invalid_request
Invalid web redirect url.
Local diagnosis on the affected machine:
defaults read com.omi.computer-macos update_channel
beta
After running:
defaults write com.omi.computer-macos update_channel stable
and reopening Omi, Apple login worked.
Additional checks:
/Applications/omi.app bundle id: com.omi.computer-macos
/Applications/omi.app version: 0.11.424
~/.omi.env: not present
OMI_FORCE_DEV_BACKENDS: not set
App bundle .env:
OMI_PYTHON_API_URL=https://api.omi.me
OMI_DESKTOP_API_URL=https://desktop-backend-hhibjajaja-uc.a.run.app/
Code Pointers
desktop/Desktop/Sources/DesktopBackendEnvironment.swift
productionPythonAPIURL = "https://api.omi.me/"developmentPythonAPIURL = "https://api.omiapi.com/"- production bundle +
update_channel == beta routes to development backends.
desktop/Desktop/Sources/AuthService.swift
- builds
/v1/auth/authorize from DesktopBackendEnvironment.pythonBaseURL().
- uses
omi-computer://auth/callback as the desktop callback URI.
desktop/Backend-Rust/src/routes/auth.rs
- Apple provider redirects to Apple with web callback
<BASE_API_URL>/v1/auth/callback/apple.
Expected
Apple Sign In should work for macOS users regardless of whether the production bundle is on stable or beta, or the app should clearly recover from a stale/broken local channel setting.
Likely Cause
The desktop custom-scheme redirect (omi-computer://auth/callback) is expected and is only stored by Omi's auth service. The failure appears to happen when the Omi auth service redirects to Apple with its web callback URL. For the beta/dev route, Apple likely does not have the exact https://api.omiapi.com/v1/auth/callback/apple return URL configured for the active Apple Services ID / APPLE_CLIENT_ID, or the dev auth service is producing a callback URL that does not exactly match Apple's configured Return URLs.
Possible Fixes
- Configure Sign in with Apple Return URLs for the
api.omiapi.com auth callback if beta-channel production bundles are expected to use that backend.
- Add a startup/auth diagnostic that surfaces the effective channel and auth backend when Apple OAuth fails with
invalid_request.
- Consider a user-facing recovery path to reset
update_channel to stable, or prevent stale beta channel values from silently routing auth to a backend whose Apple OAuth config is not ready.
Summary
Apple Sign In can fail on macOS when the production bundle is on the
betaupdate channel, because backend routing sends auth tohttps://api.omiapi.com/. Apple then rejects the web redirect URL with:Switching the local channel back to
stablemakes login work again.Observed
The macOS app opened an auth URL like:
Apple returned:
Local diagnosis on the affected machine:
After running:
and reopening Omi, Apple login worked.
Additional checks:
Code Pointers
desktop/Desktop/Sources/DesktopBackendEnvironment.swiftproductionPythonAPIURL = "https://api.omi.me/"developmentPythonAPIURL = "https://api.omiapi.com/"update_channel == betaroutes to development backends.desktop/Desktop/Sources/AuthService.swift/v1/auth/authorizefromDesktopBackendEnvironment.pythonBaseURL().omi-computer://auth/callbackas the desktop callback URI.desktop/Backend-Rust/src/routes/auth.rs<BASE_API_URL>/v1/auth/callback/apple.Expected
Apple Sign In should work for macOS users regardless of whether the production bundle is on
stableorbeta, or the app should clearly recover from a stale/broken local channel setting.Likely Cause
The desktop custom-scheme redirect (
omi-computer://auth/callback) is expected and is only stored by Omi's auth service. The failure appears to happen when the Omi auth service redirects to Apple with its web callback URL. For the beta/dev route, Apple likely does not have the exacthttps://api.omiapi.com/v1/auth/callback/applereturn URL configured for the active Apple Services ID /APPLE_CLIENT_ID, or the dev auth service is producing a callback URL that does not exactly match Apple's configured Return URLs.Possible Fixes
api.omiapi.comauth callback if beta-channel production bundles are expected to use that backend.invalid_request.update_channeltostable, or prevent stale beta channel values from silently routing auth to a backend whose Apple OAuth config is not ready.