[FEATURE] Preview: Allow configurable external URL whitelist for OAuth and other third-party required flows
Preflight Checklist
- [x] I have searched existing requests and this feature hasn't been requested yet
- [x] This is a single feature request (not multiple features)
Problem Statement
The new App Preview feature in Claude Code on desktop restricts all navigation to localhost URLs only. When a locally running web application initiates an OAuth flow that requires navigating to a third-party identity provider (e.g., idbroker.webex.com, accounts.google.com, login.microsoftonline.com), the Preview browser blocks the outbound navigation with the message:
⚠️ Link to webexapis.com was blocked. Preview only supports localhost URLs.
This makes it impossible to develop or test any application that relies on third-party OAuth/SSO authentication flows within the Preview panel.
Proposed Solution
Add a configurable external URL allowlist for the Preview browser. This could be specified at the project level (e.g., in .claude/settings.local.json or a dedicated preview config) or via the desktop app settings.
Alternative Solutions
| Alternative | Why It's Not Ideal |
| --- | --- |
| Use Claude in Chrome (--chrome) | Loses the inline Preview experience; requires switching to an external browser window. Defeats the purpose of the integrated Preview panel. |
| Dev-only login bypass route | Requires code changes to the application under development; doesn't test the actual auth flow; not always feasible with third-party SDKs. |
| Open OAuth URL in external browser | Fragile; callback URL may not route back correctly; breaks the seamless Preview workflow. |
Priority
Medium - Would be very helpful
Feature Category
Configuration and settings
Use Case Example
- I'm working on a SaaS app that uses OAuth login as a core flow (like login with Google)
- I open settings and add the Google OAuth URLs to the Preview URL whitelist
- I login to my application within App Preview window without external URL errors
Additional Context
_No response_
49 Comments
Second this, somebody please add. crazy that this wasn't thought of when releasing CC
Agree, Preview does not work for any logged in pages.
Please add this.
This would be so helpful, especially for our less technical folks!
Maybe if we copywrote our issue and put it in an ebook, Anthropic would finally read it 😆
Please guys!! We need this!!!
We need this, I could not test my nextjs app locally just because its configured with Clerk auth:
"Link to ***.clerk.accounts.dev was blocked. Preview only supports localhost URLs." :(
Guys......come on
Also what is not possbile currently... is testing app that has subdomains combined with localhost.
e.g. http://subdomain.localhost:3000/ is not an accepted url by Claude Code Preview
Yeah otherwise unusable, even a different port isn't accepted, keycloak running on different port doesn't fix it for me, because it's a different origin technically but it's local, maybe we can whitelist our origins?
Adding another use case:
*.localhostsubdomains for local reverse proxy routing.We use Caddy as a local reverse proxy with subdomains routing to different services (Rails on
/app/*, Zola static site on/*, Pipecat onai.*.localhost). Preview blocks navigation to these subdomains even though they resolve to 127.0.0.1.This isn't just an OAuth issue -- it affects any project using subdomain-based local routing (common with Caddy, Traefik, nginx-proxy). A
preview.allowedDomainssetting with glob support (*.localhost) would cover both this and the OAuth cases.I think this is crucial - MANY web apps interact with external (owned) hosts and properties.
Would be nice to have this, we need to be able to authenticate on a non localhost environment, so currently using mcp workaround but would be nice to have it integrated.
Bump!
bump
bump.
bump
bump.
I use a third party authentication service (Work OS) and also localhost domains (via Caddy) - https://api.localhost and https://portal.localhost
Bump. This feature would be incredibly useful.
Pretty crazy this doesn't exist. Has anyone found a workaround?
bump
bump.
Same issue here with Keycloak (SSO). Working on an Angular app that uses Keycloak for authentication — when the app loads in Preview it immediately redirects to the Keycloak auth server (auth.ie.test.gelato.tech) and gets blocked with:
The app never renders at all since auth happens before the first page load. Having a configurable external URL allowlist (even just for known auth domains) in
.claude/settings.jsonor.claude/launch.jsonwould make Preview usable for the vast majority of enterprise/SaaS apps that rely on external identity providers.bump
bump
bump
bump
This is problematic for us too. We have a need to run our platform on
https://localhost.domain.com:port(with multiple services and apps running on different ports) and it's obviously impossible to make use of the preview feature which is a bummer. Are there any plans to fix this at all?Anthropic when it's time to plagiarize from thousands of authors: 🧑💻🔥👩💻
Anthropic when it's time to fix basic auth in their flagship app: 🥱😴💤
Same with .test domains. We need these for SSL testing and .test is NOT a public TLD. We need the ability to use this.
I understand how dumb is that but if you need a temporary workaround - then what worked for me is to ask Claude open the app in Chrome via browser extension, grab token from there and use it in preview 😄
bump
Running into the same thing. We use subdomains, and I'm looking to switch from Conductor due to the upcoming June 15 billing change Anthropic is imposing. Very disappointed to learn that the Claude Code preview doesn't work for subdomains.
We use 2 local loopback subdomains of our own, so need to be able to allowlist these to custom loopback domains.
🙏 Please listen to the numerous people on this thread and fix this prevalent issue.
bump
Link to accounts.google.com was blocked. Preview only supports localhost URLs.
Can there be an option to enable/disable this? Or maybe with explicit approval.
Or is there an alternate workaround for cases like "sign in with XYZ" e.g. supabase being whitelisted?
bump
this would be awesome
bump
bump
bump
Allowing .test domains would be great. I use Laravel Herd to host apps with HTTPS on custom .test domains, but https://myapp.test is not permitted.
bump
bump
Guys, this is a must-have item, please priorities.
Anthropic is never going to fix this because they are high on their own supply of vibe-coding quantity over quality. Ship a barely functioning product, get into the headlines, move onto the next thing. How’s Claude Science coming along?
@ashwin-ant / @bcherny Is there any possibility to kindly ship this?
In the sandbox mode this could be disabled but it would be really helpful if we can get this working in normal mode.
Agree
I see that the complete browser is available inside Claude Desktop.
Thank you Claude Team.