diff --git a/internal/web/server.go b/internal/web/server.go
index 41e4c68..0f3d97c 100644
--- a/internal/web/server.go
+++ b/internal/web/server.go
@@ -2154,6 +2154,12 @@ func (s *Server) handleSettings(w http.ResponseWriter, r *http.Request) {
 		"LLMModel":        allSettings[settings.KeyLLMModel],
 		"LLMMaxTokens":    maxTokens,
 		"PublicBaseURL":   allSettings[settings.KeyPublicBaseURL],
+		// Derived from PublicBaseURL via the same publicBaseURL() helper
+		// used by googleOAuthConfig.RedirectURL, so what the operator sees
+		// here is byte-for-byte the URL Sieve will send to OAuth providers.
+		// Surfacing it on the settings page is the lowest-friction way to
+		// avoid Error 400: redirect_uri_mismatch on the provider side.
+		"OAuthCallbackURL": s.publicBaseURL(r) + "/oauth/callback",
 		"CommandAllowlist": allSettings[settings.KeyCommandAllowlist],
 		"AdminTLSCertPath": allSettings[settings.KeyAdminTLSCertPath],
 		"AdminTLSKeyPath":  allSettings[settings.KeyAdminTLSKeyPath],
diff --git a/internal/web/templates/settings.html b/internal/web/templates/settings.html
index b7f2ddf..341891f 100644
--- a/internal/web/templates/settings.html
+++ b/internal/web/templates/settings.html
@@ -126,6 +126,11 @@ <h2 class="text-sm font-semibold text-slate-300 uppercase tracking-wider">LLM Co
                    placeholder="http://127.0.0.1:19816"
                    class="w-full rounded-lg bg-slate-700 border border-slate-600 text-white px-3 py-2.5 text-sm placeholder-slate-400 focus:outline-none focus:ring-2 focus:ring-indigo-500 focus:border-transparent">
             <p class="text-xs text-slate-400 mt-1">Externally-visible base URL used when Sieve constructs OAuth callback / redirect / setup URLs (GitHub App manifest, Google OAuth, Slack install). Default <code class="text-slate-300">http://127.0.0.1:19816</code> matches the documented loopback production binding. Set this to your reverse-proxy URL if the admin UI is reached at a different address — never relied on inbound <code class="text-slate-300">Host</code> headers.</p>
+            <div class="mt-3 rounded-lg bg-slate-900/60 border border-slate-700 px-3 py-2.5">
+              <p class="text-xs font-semibold text-slate-300 mb-1">OAuth callback URL Sieve will send</p>
+              <p class="text-xs text-slate-400 leading-relaxed">Register this URL in your Google Cloud Console OAuth client (<em>Authorized redirect URIs</em>), your Slack App config, and any other OAuth provider you use. <strong class="text-slate-300">A mismatch produces <code class="text-amber-300">Error 400: redirect_uri_mismatch</code></strong> on the provider's consent screen and the user cannot complete authentication.</p>
+              <code class="block mt-1.5 text-xs text-emerald-300 bg-slate-950 px-2 py-1 rounded select-all break-all">{{.OAuthCallbackURL}}</code>
+            </div>
           </div>
 
           <div class="pt-2">