diff --git a/backend/internal/dto/validations.go b/backend/internal/dto/validations.go
index 429a9dcf..8aca787a 100644
--- a/backend/internal/dto/validations.go
+++ b/backend/internal/dto/validations.go
@@ -67,14 +67,12 @@ func ValidateClientID(clientID string) bool {
 
 // ValidateCallbackURL validates callback URLs with support for wildcards
 func ValidateCallbackURL(raw string) bool {
-	if raw == "*" {
+	// Don't validate if it contains a wildcard
+	if strings.Contains(raw, "*") {
 		return true
 	}
 
-	// Replace all '*' with 'x' to check if the rest is still a valid URI
-	test := strings.ReplaceAll(raw, "*", "x")
-
-	u, err := url.Parse(test)
+	u, err := url.Parse(raw)
 	if err != nil {
 		return false
 	}
diff --git a/frontend/src/lib/utils/zod-util.ts b/frontend/src/lib/utils/zod-util.ts
index a0813bb2..7bccb5ef 100644
--- a/frontend/src/lib/utils/zod-util.ts
+++ b/frontend/src/lib/utils/zod-util.ts
@@ -14,9 +14,11 @@ export const callbackUrlSchema = z
 	.nonempty()
 	.refine(
 		(val) => {
-			if (val === '*') return true;
+			if (val.includes('*')) {
+				return true;
+			}
 			try {
-				new URL(val.replace(/\*/g, 'x'));
+				new URL(val);
 				return true;
 			} catch {
 				return false;