Google OAuth Consent Screen Misconfigured in Bolt App
Users trying to log in with Google in your Bolt.new application encounter errors like 'This app isn't verified', 'Error 400: redirect_uri_mismatch', or a consent screen that requests terrifying permissions like 'See, edit, download, and permanently delete all your Google Drive files'. Some users see a blank screen after clicking 'Sign in with Google'.
Google OAuth is the most common social login provider, and a misconfigured consent screen will stop every user from signing up or logging in. The scary permission warnings or 'unverified app' screens cause users to immediately close the tab and never return, even if your app only needs basic profile information.
The issue stems from Google Cloud Console configuration not matching what your application code expects. Bolt generates the OAuth login flow in code but can't configure the Google Cloud Console for you, leading to mismatches between what Google expects and what your app sends.
Error Messages You Might See
Common Causes
- Redirect URI mismatch — The callback URL in your code doesn't exactly match what's registered in Google Cloud Console (wrong domain, missing path, http vs https)
- OAuth consent screen in testing mode — The app is in 'Testing' status which only allows pre-approved test users, blocking all other signups
- Excessive scopes requested — The code requests broad scopes like 'https://www.googleapis.com/auth/drive' when it only needs 'openid email profile'
- App not verified by Google — Production apps requesting sensitive scopes must go through Google's verification process
- Wrong OAuth client type — Created a Desktop or Android OAuth client instead of Web application type in Google Console
How to Fix It
- Fix redirect URI — In Google Cloud Console > APIs & Services > Credentials > your OAuth client, add your exact callback URL: https://yourapp.com/auth/callback/google (must match character-for-character)
- Publish the OAuth consent screen — Go to OAuth consent screen tab and click 'Publish App' to move from Testing to Production. This allows any Google user to sign in
- Request minimal scopes — Only request what you need. For login, use: scope: 'openid email profile'. Remove any Drive, Calendar, or other API scopes unless your app actually uses them
- Use correct client type — Delete the existing client and create a new one as 'Web application' type. Mobile and Desktop types don't support redirect-based OAuth flows
- Add all redirect URIs — Add both your development (http://localhost:3000/auth/callback/google) and production (https://yourapp.com/auth/callback/google) URIs
- Configure Supabase redirect — If using Supabase Auth, add https://your-project.supabase.co/auth/v1/callback to Google's authorized redirect URIs
Real developers can help you.
Prakash Prajapati
I’m a Senior Python Developer specializing in building secure, scalable, and highly available systems. I work primarily with Python, Django, FastAPI, Docker, PostgreSQL, and modern AI tooling such as PydanticAI, focusing on clean architecture, strong design principles, and reliable DevOps practices. I enjoy solving complex engineering problems and designing systems that are maintainable, resilient, and built to scale.
Kingsley Omage
Fullstack software engineer passionate about AI Agents, blockchain, LLMs.
Jen Jacobsen
I’m a Full-Stack Developer with over 10 years of experience building modern web and mobile applications. I enjoy working across the full product lifecycle — turning ideas into real, well-built products that are intuitive for users and scalable for businesses.
I particularly enjoy building mobile apps, modern web platforms, and solving complex technical problems in a way that keeps systems clean, reliable, and easy to maintain.
rayush33
JavaScript (React.js, React Native, Node.js) Developer with demonstrated industry experience of 4+ years, actively looking for opportunities to hone my skills as well as help small-scale business owners with solutions to technical problems
Caio Rodrigues
I'm a full-stack developer focused on building practical and scalable web applications. My main experience is with **React, TypeScript, and modern frontend architectures**, where I prioritize clean code, component reusability, and maintainable project structures.
I have strong experience working with **dynamic forms, state management (Redux / React Hook Form), and complex data-driven interfaces**. I enjoy solving real-world problems by turning ideas into reliable software that companies can actually use in their daily operations.
Beyond coding, I care about **software quality and architecture**, following best practices for componentization, code organization, and performance optimization.
I'm also comfortable working across the stack when needed, integrating APIs, handling business logic, and helping transform prototypes into production-ready systems.
My goal is always to deliver solutions that are **simple, efficient, and genuinely useful for the people using them.**
PawelPloszaj
I'm fronted developer with 10+ years of experience with big projects. I have small backend background too
Richard McSorley
Full-Stack Software Engineer with 8+ years building high-performance applications for enterprise clients. Shipped production systems at Walmart (4,000+ stores), Cigna (20M+ users), and Arkansas Blue Cross. 5 patents in retail/supply chain tech. Currently focused on AI integrations, automation tools, and TypeScript-first architectures.
Basel Issmail
’m a Senior Full-Stack Developer and Tech Lead with experience designing and building scalable web platforms. I work across the full development lifecycle, from translating business requirements into technical architecture to delivering reliable production systems.
My work focuses on modern web technologies, including TypeScript, Angular, Node.js, and cloud-based architectures. I enjoy solving complex technical problems and helping teams turn product ideas and prototypes into working platforms that can grow and scale.
In addition to development, I often collaborate closely with product managers, business analysts, designers, and QA teams to ensure that solutions align with both technical and business goals.
I enjoy working with startups and product teams where I can contribute both as a hands-on engineer and as a technical partner in designing and delivering impactful software.
Dor Yaloz
SW engineer with 6+ years of experience,
I worked with React/Node/Python
did projects with React+Capacitor.js for ios
Supabase expert
Jaime Orts-Caroff
I'm a Senior Android developer, currently working at Aircall. I'm open to work in various fields!
You don't need to be technical. Just describe what's wrong and a verified developer will handle the rest.
Get HelpFrequently Asked Questions
How do I move my Google OAuth app from Testing to Production?
Go to Google Cloud Console > APIs & Services > OAuth consent screen. Click 'Publish App'. If you only use basic scopes (openid, email, profile), verification is automatic. If you request sensitive scopes, Google will review your app which can take weeks.
Why do users see 'This app isn't verified' warning?
Your OAuth consent screen is either in Testing mode (only test users can sign in) or you're requesting sensitive scopes that require Google verification. For most apps, requesting only 'openid email profile' scopes avoids verification requirements.