diff --git a/public/client-metadata.json b/public/client-metadata.json
index c69a1eb..85a10b6 100644
--- a/public/client-metadata.json
+++ b/public/client-metadata.json
@@ -3,9 +3,7 @@
   "client_name": "Coffee Map",
   "client_uri": "https://coffee.apoena.dev",
   "redirect_uris": [
-    "https://coffee.apoena.dev/oauth/callback",
-    "http://127.0.0.1:5173/oauth/callback",
-    "http://127.0.0.1:5174/oauth/callback"
+    "https://coffee.apoena.dev/oauth/callback"
   ],
   "grant_types": ["authorization_code", "refresh_token"],
   "response_types": ["code"],
diff --git a/src/lib/atproto.ts b/src/lib/atproto.ts
index c662c15..2606a70 100644
--- a/src/lib/atproto.ts
+++ b/src/lib/atproto.ts
@@ -5,9 +5,8 @@ import { Agent } from '@atproto/api'
 // so the PDS can fetch it — even in local dev.
 const PROD_URL = 'https://coffee.apoena.dev'
 
-// redirect_uri is dynamic so local dev redirects back to the right origin.
-// RFC 8252 forbids "localhost" — replace with 127.0.0.1 for loopback.
-const ORIGIN = window.location.origin.replace('localhost', '127.0.0.1')
+// OAuth only works on the deployed domain (web apps can't use loopback).
+const ORIGIN = PROD_URL
 
 let _client: BrowserOAuthClient | null = null
 
diff --git a/vite.config.ts b/vite.config.ts
index 87c5fde..f81d41d 100644
--- a/vite.config.ts
+++ b/vite.config.ts
@@ -5,9 +5,6 @@ import UnoCSS from 'unocss/vite'
 import { fileURLToPath } from 'node:url'
 
 export default defineConfig({
-  server: {
-    host: '127.0.0.1',
-  },
   resolve: {
     alias: {
       '@': fileURLToPath(new URL('./src', import.meta.url)),