diff --git a/public/client-metadata.json b/public/client-metadata.json
index 2a69177..34d2dd5 100644
--- a/public/client-metadata.json
+++ b/public/client-metadata.json
@@ -2,7 +2,11 @@
   "client_id": "https://coffee.apoena.dev/client-metadata.json",
   "client_name": "Coffee Map",
   "client_uri": "https://coffee.apoena.dev",
-  "redirect_uris": ["https://coffee.apoena.dev/oauth/callback"],
+  "redirect_uris": [
+    "https://coffee.apoena.dev/oauth/callback",
+    "http://localhost:5173/oauth/callback",
+    "http://localhost:5174/oauth/callback"
+  ],
   "grant_types": ["authorization_code", "refresh_token"],
   "response_types": ["code"],
   "scope": "atproto transition:generic",
diff --git a/src/lib/atproto.ts b/src/lib/atproto.ts
index 9103dd8..532288e 100644
--- a/src/lib/atproto.ts
+++ b/src/lib/atproto.ts
@@ -1,9 +1,12 @@
 import { BrowserOAuthClient } from '@atproto/oauth-client-browser'
 import { Agent } from '@atproto/api'
 
-// The client_id must equal the public URL of client-metadata.json.
-// Update VITE_APP_URL in your environment or set it here directly.
-const APP_URL = import.meta.env.VITE_APP_URL ?? 'https://coffee.apoena.dev'
+// client_id must always point to the publicly accessible metadata file
+// so the PDS can fetch it — even in local dev.
+const PROD_URL = 'https://coffee.apoena.dev'
+
+// redirect_uri is dynamic so local dev redirects back to localhost
+const ORIGIN = window.location.origin
 
 let _client: BrowserOAuthClient | null = null
 
@@ -11,10 +14,10 @@ export function getOAuthClient(): BrowserOAuthClient {
   if (!_client) {
     _client = new BrowserOAuthClient({
       clientMetadata: {
-        client_id: `${APP_URL}/client-metadata.json`,
+        client_id: `${PROD_URL}/client-metadata.json`,
         client_name: 'Coffee Map',
-        client_uri: APP_URL,
-        redirect_uris: [`${APP_URL}/oauth/callback`],
+        client_uri: PROD_URL,
+        redirect_uris: [`${ORIGIN}/oauth/callback`],
         grant_types: ['authorization_code', 'refresh_token'],
         response_types: ['code'],
         scope: 'atproto transition:generic',
@@ -22,7 +25,6 @@ export function getOAuthClient(): BrowserOAuthClient {
         token_endpoint_auth_method: 'none',
         application_type: 'web',
       },
-      // Use the public ATProto resolver — for full privacy use your own PDS
       handleResolver: 'https://bsky.social',
     })
   }