Test your configuration

On This Page

Do the following to test your CORS configuration:

  1. Grant cross-origin access to https://developer.okta.com.
  2. In the same browser in which you have an active session in your Okta organization, enter your Okta subdomain in the form below and click Test. Your Okta user profile appears below the form.

Note: If this test seems to be working incorrectly, make sure you have all tracking blockers turned off in your browser and reload the page.

Request examples

The following code samples can be added to your website to test your CORS configuration. Remember to replace the baseUrl with the URL for your Okta organization.


var baseUrl = 'https://${yourOktaDomain}';
var xhr = new XMLHttpRequest();
if ("withCredentials" in xhr) {
    xhr.onerror = function() {
      alert('Invalid URL or Cross-Origin Request Blocked.  You must explicitly add this site (' + window.location.origin + ') to the list of allowed websites in the administrator UI');
    xhr.onload = function() {
    xhr.open('GET', baseUrl + '/api/v1/users/me', true);
    xhr.withCredentials = true;
} else {
    alert("CORS is not supported for this browser!")


var baseUrl = 'https://${yourOktaDomain}';
  url: baseUrl + '/api/v1/users/me',
  type: 'GET',
  xhrFields: { withCredentials: true },
  accept: 'application/json'
}).done(function(data) {
.fail(function(xhr, textStatus, error) {
  var title, message;
  switch (xhr.status) {
    case 403 :
      title = xhr.responseJSON.errorSummary;
      message = 'Please login to your Okta organization before running the test';
    default :
      title = 'Invalid URL or Cross-Origin Request Blocked';
      message = 'You must explicitly add this site (' + window.location.origin + ') to the list of allowed websites in your administrator UI';
  alert(title + ': ' + message);

Response example: error

If you didn't enable CORS, or your CORS configuration is incorrect, an error appears in your browser's developer tool or JavaScript console.


XMLHttpRequest cannot load https://${yourOktaDomain}/api/v1/users/me. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://your-website.com' is therefore not allowed access.


XMLHttpRequest cannot load https://${yourOktaDomain}/api/v1/users/me. Origin https://${yourOktaDomain} is not allowed by Access-Control-Allow-Origin.


Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://${yourOktaDomain}/api/v1/users/me. This can be fixed by moving the resource to the same domain or enabling CORS.

Internet Explorer

SEC7118: XMLHttpRequest for https://${yourOktaDomain}/api/v1/users/me required Cross Origin Resource Sharing (CORS).

SEC7120: Origin https://${yourOktaDomain} not found in Access-Control-Allow-Origin header.

SCRIPT7002: XMLHttpRequest: Network Error 0x80070005, Access is denied.