Issue Summary

I’m self-hosting Cal.com using Docker on a VPS with a custom domain.

My goal is to connect a Microsoft Outlook calendar so I can use Cal.com for scheduling.

The site loads fine, but when attempting to connect Outlook, the flow loops and never completes.

From logs, I consistently see:

"Match of WEBAPP_URL with ALLOWED_HOSTNAMES failed"

Even though all relevant environment variables appear to be configured correctly.

This effectively blocks OAuth entirely.

Steps to Reproduce

1. Deploy Cal.com using Docker on a VPS
2. Configure environment variables:
   • NEXTAUTH_URL=https://cal.example.com
   • NEXT_PUBLIC_WEBAPP_URL=https://cal.example.com
   • ALLOWED_HOSTNAMES=cal.example.com
3. Access the app via https://cal.example.com
4. Attempt to connect Microsoft Outlook calendar
5. Observe infinite redirect / loop during OAuth flow

Actual Results

• OAuth flow loops and never completes
• Calendar is not connected
• Logs repeatedly show:
  "Match of WEBAPP_URL with ALLOWED_HOSTNAMES failed"
• Additional error:
  fetch failed (CLIENT_FETCH_ERROR)
  /api/auth/csrf

Expected Results

• OAuth flow should complete successfully
• Outlook calendar should connect
• No hostname mismatch errors in logs

Technical Details

Environment:

• Self-hosted via Docker
• VPS with reverse proxy (Caddy)
• Domain: https://cal.example.com

.env:
NEXTAUTH_URL=https://cal.example.com
NEXT_PUBLIC_WEBAPP_URL=https://cal.example.com
ALLOWED_HOSTNAMES=cal.example.com

Verified inside container:
NEXTAUTH_URL=https://cal.example.com
NEXT_PUBLIC_WEBAPP_URL=https://cal.example.com
ALLOWED_HOSTNAMES=cal.example.com

However, container also shows:
BUILT_NEXT_PUBLIC_WEBAPP_URL=http://localhost:3000

This suggests a build-time value is overriding runtime configuration.

Evidence

Relevant logs:

• "Match of WEBAPP_URL with ALLOWED_HOSTNAMES failed"
• CLIENT_FETCH_ERROR → fetch failed
• /api/auth/csrf failing during OAuth

Additional attempts:

• Tried ALLOWED_HOSTNAMES with quotes and JSON arrays:
  • '"cal.example.com"'
  • '["cal.example.com"]'
• These resulted in JSON parsing errors or nested array issues

Additional Context

I’m trying to run a clean self-hosted Cal.com instance under a custom domain and integrate Microsoft Outlook for scheduling.

Everything appears correctly configured at runtime, but behavior suggests the app is still using a build-time URL (localhost), causing hostname validation to fail and breaking OAuth.

Main Questions

1. What is the correct format for ALLOWED_HOSTNAMES in Docker deployments?
2. Should NEXT_PUBLIC_WEBAPP_URL be set at build-time instead of runtime?
3. Is BUILT_NEXT_PUBLIC_WEBAPP_URL=http://localhost:3000 expected in Docker images, or is this causing the mismatch?
4. Is there a required rebuild step to ensure environment variables are properly applied?