Callback URL, also known as redirect_uri in terms of OAuth2 protocol (see RFC 6749, Section 3.1.2 for more details), is the URL where the authorization server will redirect to, together with the received authentication token. And the received side must handle that properly.