Which statement about redirect URIs in Enhanced Packages is true?

• A. Redirect URIs must be URL encoded
• B. Redirect URIs can be any domain
• C. You can't use a URL encoded redirect URI; you can use https://127.0.0.1:{port}/* for local testing
• D. Redirect URIs are not checked

Answer: (C)

In this context, redirect URIs are the trusted destinations an OAuth server will send the user back to after authorization, and they must be pre-registered and exactly match what the app requests. Because the server validates the redirect URI for security, you should not rely on encoded forms of the URI—the platform expects the literal, decoded URI to be registered and used. For local development, you can use a loopback address like https://127.0.0.1:{port}/*, which allows testing against your own machine without exposing a real external domain. This protects against redirecting to untrusted sites. A domain you haven’t whitelisted isn’t allowed, and the server does check redirect URIs; those other statements aren’t correct.