The Okta Trusted Origins API supports wildcards for specific permissions, such as iFrame embedding, while generally requiring exact URLs for Cross-Origin Resource Sharing (CORS) and redirects. The API manages Trusted Origins by checking external URLs against an allowlist during sign-in, sign-out, or recovery operations. If the origins are absent, Okta denies the related redirect or API access operation. Okta enforces no limit on the number of URLs administrators can add to the allowlist.

• Okta Identity Engine (OIE)
• Okta Classic Engine
• Okta API
• Trusted Origins

Are wildcards supported in the Okta Trusted Origins API?

The Okta Trusted Origins API supports the use of wildcards for specific permissions, such as iFrame embedding. For example, administrators can add *.<domain>.com with iFrame permissions successfully. However, Okta typically requires exact URLs for other operations, including CORS and redirects.

Related References

• Okta Developer Documentation - Trusted Origins API