Base44 auth breaks after deploy: 3 causes and fixes

Login works fine in the Base44 preview, then breaks the moment you deploy? Here are the three most common causes — and how to tell which one is yours.

Login works in the Base44 editor. You click deploy, open the live URL, and auth is just broken — a redirect loop, a “session expired” message on first load, or a login button that does nothing. Nothing in your prompt history mentions auth. You didn’t touch the login flow. It worked five minutes ago in preview.

If you’re searching “base44 auth error after deploy” or “base44 login broken after deploy,” this isn’t one bug — it’s a small set of distinct failure modes that all present the same way (works in preview, breaks live). That’s why “just redeploy” or “just re-ask the agent to fix login” often doesn’t work: you might be fixing the wrong one. Here’s how to tell which of the three you actually have.

Why this happens — 3 likely causes

All three share the same shape: something is different between your preview environment and your deployed environment, and auth is the part of the app most sensitive to that difference.

1. A database/schema migration race between preview and production. Base44’s preview environment and its deployed environment don’t always apply schema changes in lockstep. If a migration that your auth flow depends on (a new column on a users table, an updated permissions table, an index) finishes applying in preview before it’s fully applied in the deployed environment — or the deploy kicks off before the migration is confirmed complete — your live app can be reading/writing against a schema that doesn’t match what the auth code expects. Preview looks fine because it’s running against the already-migrated state; production briefly (or persistently, if the migration silently failed) isn’t.

2. Environment-variable or auth-config values that differ between preview and production. Callback/redirect URLs, allowed origins for OAuth or CORS, and API keys are commonly scoped per-environment — and if the production values weren’t set, or were copied from preview without updating the domain, the auth provider will reject the exchange on the live domain even though the exact same code works against the preview subdomain. This is the most common cause and the easiest to miss, because nothing in your app code is wrong — it’s a values-not-code problem.

3. Session/cookie domain mismatches between the preview subdomain and your custom/production domain. Cookies set with a domain scoped to *.base44.app (or whatever your preview subdomain is) won’t be valid on a custom domain like app.yourproduct.com, and vice versa. If your session cookie’s domain attribute is hardcoded, or inherited from whichever environment it was first configured against, the browser will simply refuse to send it back on the other domain — which looks exactly like “auth broke” but is actually the browser correctly protecting cookie scope.

Diagnosing which one is yours

Don’t jump to a fix before you know which cause you’re dealing with — all three look identical from the login screen.

  1. Open your browser’s dev tools on the live (deployed) URL, not the preview. Go to the Network tab, attempt to log in, and watch the actual request/response for the auth call.
  2. Check for a redirect_uri or origin mismatch error in the response body or console — this points to cause 2 (config values). Auth providers (including Base44’s own) usually return an explicit error naming the mismatched URL when this is the issue.
  3. Check the Application/Storage tab for the session cookie. Look at its Domain attribute and compare it to the URL in your address bar. If the cookie is present but scoped to a different domain than the one you’re on, that’s cause 3.
  4. If there’s no cookie and no obvious redirect error, check your deploy logs for migration status — specifically whether the migration step reported success and whether it ran before or after the app started serving traffic. A migration that’s still “in progress” or that failed silently points to cause 1.

The fix for each cause

If it’s cause 1 (migration race):

  1. Check Base44’s deploy/build logs for the migration step specifically — confirm it ran to completion and in what order relative to the app going live.
  2. Re-run the deploy and, if possible, force a fresh migration rather than relying on an incremental one — a full re-apply against production rules out a partial/interrupted migration.
  3. If the schema change was recent, roll back to the last known-good deploy, confirm auth works there, then re-apply the migration in isolation (not bundled with other changes) so you can confirm it completes cleanly before the app starts serving requests again.
  4. If this keeps recurring across deploys, that’s worth reporting to Base44 directly with the deploy log timestamps — a consistently-losing race between migration and traffic start is a platform sequencing issue, not something you can reliably work around from the app side alone.

If it’s cause 2 (environment-variable/config mismatch):

  1. Open your production environment’s auth configuration and list every URL-shaped value: callback/redirect URL, allowed origins, any webhook URL. Do this by opening the actual config, not from memory.
  2. Compare each one against your live deployed domain, character for character — a trailing slash, http vs https, or a leftover preview subdomain are the usual culprits.
  3. Update any mismatched value to point at your production domain, and if your auth provider requires it, add the production domain as an additional allowed origin rather than replacing the preview one (so preview keeps working too).
  4. Redeploy after saving the config change — env/config updates don’t always take effect on the already-running deployment without a fresh deploy.

If it’s cause 3 (cookie domain mismatch):

  1. Find where your session cookie’s domain is set — this may be in your auth configuration, a middleware/server setting, or hardcoded if you or the agent wrote custom session handling.
  2. Set the cookie domain to match your actual production domain (or, if you need both preview and production to work, scope it correctly per-environment rather than hardcoding one value everywhere).
  3. If you’re using a custom domain on top of Base44’s default subdomain, confirm the custom domain is fully propagated (DNS, SSL) before testing — a half-configured custom domain can produce the same symptom for an unrelated reason.
  4. Clear cookies for both domains and log in fresh after the change — a stale cookie from before the fix can make it look like the fix didn’t work.

If cause 2 is yours, the actual work is being precise about which value is wrong and what it should be instead — the callback URL that’s set vs. the one it needs to be. That’s the same structure that trips people up when they ask an agent to “fix the login redirect” without naming the specific URL and domain: a vague request gets a vague (and often wrong) retry. This is one of the narrower cases where Traileo’s point-and-describe flow helps even outside a visual bug — you’re still pinning down an exact expected-vs-actual value, just for a config field instead of a UI element. Causes 1 and 3 are infra/config issues with no ambiguity to resolve in the request itself — there, the checklist above is the fix, full stop.

How to verify auth is actually fixed in production — not just in preview

This is the step people skip, and it’s why the same “fixed” bug comes back. Preview passing tells you almost nothing here, because preview was never broken.

  1. Test on the actual deployed URL, in a fresh/incognito browser session — not the preview URL, and not a session that already has old cookies or cached auth state.
  2. Log out completely and log back in from scratch, rather than checking whether an already-logged-in session still shows as logged in (a valid cookie from before the fix can mask a fix that didn’t work, or mask a break that will hit new logins).
  3. If you fixed a config/callback URL issue, test the specific flow that uses it end-to-end (e.g., the full OAuth redirect round-trip), not just the login button rendering — the failure is often in the redirect exchange, which only shows up mid-flow.
  4. If you fixed a migration issue, confirm with a second deploy that the fix holds — a race condition can appear to be fixed once and then recur on the next deploy if the underlying sequencing issue wasn’t actually resolved.
  5. Repeat the check on the exact domain your users will hit (custom domain included, if you have one) — a fix verified only on the default Base44 production subdomain doesn’t confirm the custom domain is correct too.