On This Page

Cross-Origin Resource Sharing (CORS) (opens new window) is a mechanism that allows a web page to make an AJAX call using XMLHttpRequest (XHR) (opens new window) to a domain that is different than the domain where the script was loaded. Such cross-domain requests would otherwise be forbidden by web browsers as indicated by the same origin security policy (opens new window). CORS defines a standardized (opens new window) way in which the browser and the server can interact to determine whether or not to allow the cross-origin request.

In Okta, CORS allows JavaScript hosted on your websites to make a request using XMLHttpRequest to the Okta API with the Okta session cookie. Every website origin must be explicitly permitted as a Trusted Origin.

If you are using OAuth 2.0 tokens to make calls to Okta APIs, you don't need to add a Trusted Origin because OAuth for Okta APIs don't rely on cookies. These APIs use bearer tokens instead. See Scopes and supported endpoints.

Caution: You should only grant access to specific origins (websites) that you control and trust to access the Okta API.

API Support

The Okta API supports CORS on an API by API basis. If you're building an application that needs CORS, check that the specific operation supports CORS for your use case. APIs that support CORS are marked with the following icon CORS.

Browser Support

Not all browsers supports CORS. You can review which browsers support CORS on caniuse.com/cors (opens new window)

Note: IE8 and IE9 don't support authenticated requests and can't use the Okta session cookie with CORS.


If you need help or have an issue, post a question on the Okta Developer Forum (opens new window).