Skip to main content

Set up CORS for Ory Network

Cross-Origin Resource Sharing (CORS) is a mechanism to allow cross-origin requests. CORS is a relaxation of the same-origin policy implemented in modern browsers. It allows a server to explicitly allow some cross-origin requests while rejecting others. It's important that you add CORS origins to your Ory Project to ensure Single Page Applications (SPAs) support. Ory Network allows up to 50 origins. If you plan on using server-side rendering or native applications, you can disable CORS. You can read more about CORS at MDN.

note

Ory Network doesn't allow setting the CORS origins to be *, null or localhost/127.0.0.1. You can, however, use a wildcard subdomain such as https://*.foobar.ory. To be on the safe side, Ory recommends setting the CORS origins to be an exact match instead of a wildcard subdomain. For local development with localhost/127.0.0.1 use Ory Tunnel.

Supported Endpoints

Only the OAuth2 endpoints support CORS. Others are supported through custom domains, but will follow soon. For OAuth2, per-client CORS settings are supported. This means that you can set different CORS settings for different OAuth2 clients. You can find the CORS settings in the OAuth2 client settings. CORS has to be enabled for the whole project though.

Enable CORS

CORS can be enabled using the Ory CLI:

ory patch project <your-project-id> \
  --replace '/cors_public/enabled=true' \
  --replace '/cors_public/allowed_origins=["https://*.foobar.ory"]'

You can find more information about the ory patch command in the Ory CLI documentation.

CORS on custom domains

You can configure custom domains to use specific CORS settings. Head over to the Custom Domains documentation for all information.