The Problem
You've set up Google OAuth in your Lovable project with Supabase, but users get a 403 error when trying to sign in. The error message doesn't tell you much.
This happens whether you're using Lovable Cloud or your own Supabase project — the Google Cloud Console settings are usually the culprit.
Common Causes
- Redirect URI mismatch — Google is strict about exact URLs
- OAuth Consent Screen incomplete — missing required fields
- App in Testing mode — users not added as testers
- Wrong credentials — copy-paste errors happen
Solution
1. Check Redirect URIs (Most Common Issue)
Go to Google Cloud Console > APIs & Services > Credentials > Your OAuth Client.
For Supabase (your own project):
https://[PROJECT_REF].supabase.co/auth/v1/callbackFor Lovable Cloud:
https://[YOUR-PROJECT].lovable.cloud/auth/v1/callbackImportant: Add the full redirect URI, not just the JavaScript origin. This is where 90% of 403 errors come from.
2. Complete OAuth Consent Screen
Go to OAuth Consent Screen and verify:
- App name and logo are set
- User support email is filled
- Scopes include
emailandprofile - Developer contact info is complete
3. Add Test Users
If your app is in "Testing" mode (not published to production):
- Go to OAuth Consent Screen > Test users
- Add every email that needs to sign in
- Users not on this list will get 403
Tip: Even your own email needs to be on the test users list if you're in Testing mode. This catches a lot of people.
4. Verify Credentials in Both Places
Double-check that Client ID and Client Secret match exactly between:
- Google Cloud Console
- Supabase Dashboard (or Lovable settings)
Quick Checklist
- [ ] Redirect URI is exact (includes
/auth/v1/callback) - [ ] OAuth Consent Screen is 100% complete
- [ ] Test users added (if in Testing mode)
- [ ] Credentials match in both places
Still Stuck?
Note: Check Google Cloud Console > APIs & Services > Credentials > View usage. It shows recent errors and can help pinpoint the issue.