Set up CORS for Ory Network
Cross-Origin Resource Sharing (CORS) is a mechanism to allow cross-origin requests. CORS is a relaxation of the same-origin policy implemented in modern browsers. It allows a server to explicitly allow some cross-origin requests while rejecting others. It's important that you add CORS origins to your Ory Project to ensure Single Page Applications (SPAs) support. Ory Network allows up to 50 origins. If you plan on using server-side rendering or native applications, you can disable CORS. You can read more about CORS at MDN.
Ory Network doesn't allow setting the CORS origins to be *
, null
or localhost/127.0.0.1
. You can, however, use a wildcard
subdomain such as https://*.foobar.ory
. To be on the safe side, Ory recommends setting the CORS origins to be an exact match
instead of a wildcard subdomain. For local development with localhost/127.0.0.1
use Ory Tunnel.
Supported Endpoints
Only the OAuth2 endpoints support CORS. Others are supported through custom domains, but will follow soon. For OAuth2, per-client CORS settings are supported. This means that you can set different CORS settings for different OAuth2 clients. You can find the CORS settings in the OAuth2 client settings. CORS has to be enabled for the whole project though.
Enable CORS
CORS can be enabled using the Ory CLI:
ory patch project <your-project-id> \
--replace '/cors_public/enabled=true' \
--replace '/cors_public/allowed_origins=["https://*.foobar.ory"]'
You can find more information about the ory patch
command in the
Ory CLI documentation.
CORS on custom domains
You can configure custom domains to use specific CORS settings. Head over to the Custom Domains documentation for all information.