We no longer support the use of custom scheme URLs (i.e. URLs that do not start with https:// ) as redirect URLs or app launch URLs.
This means URLs such as:
myapp://callback
myapp://loginare no longer allowed.
Why is this not supported?
Custom scheme URIs are no longer permitted because:
They are not considered sufficiently secure under the new FAPI-compliant standards. They are more vulnerable to interception or hijacking by other apps registering the same custom scheme. FAPI 2.0 requires stronger redirect URI validation and HTTPS-based security controls. HTTPS URLs provide server-side validation and domain ownership verification, which custom schemes cannot.
As a result, all redirect and launch URLs must now use HTTPS-based URLs.
What Should You Use Instead?
If you are integrating via a mobile app (Android or iOS), you must use app-claimed HTTPS URLs instead.
App-claimed HTTPS URLs are standard HTTPS URLs that:
- Start with https://
- Are cryptographically associated with your mobile application
- Automatically open your mobile app when triggered
Platform Support
Android → Use Android App Links
iOS → Use Universal Links
These mechanisms securely associate your HTTPS domain with your mobile app and prevent URI hijacking.
Summary
Custom scheme URIs are no longer supported because they do not meet FAPI security requirements and are vulnerable to interception.
All integrations must migrate to secure, app-claimed HTTPS URLs moving forward.
Comments
0 comments
Please sign in to leave a comment.