<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Okta CORS Error When Accessing APIs From the Front-End
May 19, 2026
Administration
Okta Classic Engine
Okta Identity Engine
Overview

A Cross-Origin Resource Sharing (CORS) error occurs when a front-end application accesses an Okta API that lacks CORS enablement or uses an Application Programming Interface (API) token in the authorization header. Resolve this error by adding the website as a trusted origin with CORS enabled and using a scoped access token instead of an API token.

When accessing certain APIs like List Users (GET /api/v1/users) from the front-end or browser, Okta generates the following CORS error:

 

Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource

 

Applies To
  • Okta Classic Engine
  • Okta Identity Engine (OIE)
  • Cross-Origin Resource Sharing (CORS)
  • Application Programming Interface (API)
Cause

A CORS error occurs when a front-end application or browser accesses an API that lacks CORS enablement. APIs without CORS enablement restrict access to server-side or back-end requests only. The Okta API supports CORS on an API-by-API basis. Developers building an application that requires CORS must verify that the specific operation supports CORS for the use case. The developer documentation marks APIs that support CORS with the following icon:

CORS icon

Front-end applications and browsers can access CORS-enabled APIs, such as GET User. Administrators enable CORS in the Okta Admin Console for websites requiring cross-origin requests to the Okta API.

Additionally, Okta generates a CORS error if a front-end application makes a request to an Okta API endpoint using an API token in the authorization header.

Solution

How is the Okta CORS error that occurs when accessing the API resolved?

 

Add the website as a trusted origin in the Okta Admin Console and configure the application to use a scoped access token.

  1. Navigate to Security > API > Trusted Origins.
  2. Select Add Origin to specify the base URL of the website requiring cross-origin requests.
  3. Select Cross-Origin Resource Sharing (CORS).

Selecting CORS

 

 

How are authenticated requests handled?

 

Configure the application to pass a scoped access token in the authorization header of the request as a bearer token. Learn more about OAuth 2.0 for Okta in Implement OAuth for Okta.

NOTE: Do not use or expose an API token on the front end of an application. For secured access to resources, use a short-lived, scoped access token. This practice limits the window of opportunity for misuse and restricts permissions to only what is necessary for the application to access.

 

 

Related References

Recommended content

Still looking for help?
Loading
Okta CORS Error When Accessing APIs From the Front-End