Set up CORS for Ory Network
Cross-Origin Resource Sharing (CORS) is a mechanism to allow cross-origin requests. CORS is a relaxation of the same-origin policy implemented in modern browsers. It allows a server to explicitly allow some cross-origin requests while rejecting others. It's important that you add CORS origins to your Ory Project to ensure Single Page Applications (SPAs) support. Ory Network allows up to 50 origins. If you plan on using server-side rendering or native applications, you can disable CORS. You can read more about CORS at MDN.
Ory Network doesn't allow setting the CORS origins to be *
, null
or localhost/127.0.0.1
. You can, however, use a wildcard
subdomain such as https://*.foobar.ory
. To be on the safe side, Ory recommends setting the CORS origins to be an exact match
instead of a wildcard subdomain. For local development with localhost/127.0.0.1
use Ory Tunnel.
Supported Endpoints
All public endpoints apply the global CORS settings. For OAuth2, also per-client CORS settings are supported if CORS is enabled globally. This means that you can set different CORS settings for different OAuth2 clients. You can find the CORS settings in the OAuth2 client settings.
Enable CORS
CORS can be enabled using the Ory CLI:
ory patch project <your-project-id> \
--replace '/cors_public/enabled=true' \
--replace '/cors_public/origins=["https://*.foobar.ory"]'
You can find more information about the ory patch
command in the
Ory CLI documentation.
CORS on custom domains
You can configure custom domains to use specific CORS settings. Head over to the Custom Domains documentation for all information.