When accessing certain APIs like List Users (GET /api/v1/users) from the front-end/browser, the following CORS error is received:
Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource
- Cross-Origin Resource Sharing (CORS)
- API
- Okta Classic Engine
A CORS error is received when an API from the front end or browser is accessed, and the API is not CORS-enabled. The APIs that are not CORS-enabled can be accessed only from the server-side/back-end.
The Okta API supports CORS on an API-by-API basis. If building an application that needs CORS, please check that the specific operation supports CORS for the use case. APIs that support CORS are marked with the following icon:
CORS-enabled APIs (like GET User) can be accessed from the front-end/browser provided. CORS is enabled for websites that need cross-origin requests to the Okta API on the developer console.
Additionally, a CORS error will occur if a request to an Okta API endpoint is made from the front end using an API Token in the Authorization header.
- Navigate to Security > API > Trusted Origins.
- Select Add Origin to specify the base URL of the website from which it is desired to allow cross-origin requests.
- Ensure that Cross-Origin Resource Sharing (CORS) is selected.
For authenticated requests to the Okta API that require Authorization, verify that the application uses a scoped Access Token, passed in the Authorization Header of the request as a Bearer Token. Learn more about OAuth for Okta in Implement OAuth for Okta.
NOTE: It is strongly recommended not to use or expose an API Token on the front end of an application. For secured access to resources, use a short-lived, scoped Access Token. This practice limits the window of opportunity for misuse and restricts permissions to only what is necessary for the application to access.
