Skip to main content

Set up CORS for Ory Network

Cross-Origin Resource Sharing (CORS) is a mechanism to allow cross-origin requests. CORS is a relaxation of the same-origin policy implemented in modern browsers. It allows a server to explicitly allow some cross-origin requests while rejecting others. It's important that you add CORS origins to your Ory Project to ensure Single Page Applications (SPAs) support. Ory Network allows up to 50 origins. If you plan on using server-side rendering or native applications, you can disable CORS. You can read more about CORS at MDN.


Ory Network doesn't allow setting the CORS origins to be *, null or localhost/ You can, however, use a wildcard subdomain such as https://*.foobar.ory. To be on the safe side, Ory recommends setting the CORS origins to be an exact match instead of a wildcard subdomain. For local development with localhost/ use Ory Tunnel.

Supported Endpoints

All public endpoints apply the global CORS settings. For OAuth2, also per-client CORS settings are supported if CORS is enabled globally. This means that you can set different CORS settings for different OAuth2 clients. You can find the CORS settings in the OAuth2 client settings.

Enable CORS

CORS can be enabled using the Ory CLI:

ory patch project <your-project-id> \
--replace '/cors_public/enabled=true' \
--replace '/cors_public/origins=["https://*.foobar.ory"]'

You can find more information about the ory patch command in the Ory CLI documentation.

CORS on custom domains

You can configure custom domains to use specific CORS settings. Head over to the Custom Domains documentation for all information.