Skip to main content
Version: v1.8

Setting up Cross-origin resource sharing (CORS)

Both ORY Hydra's Admin and Public endpoints support CORS. For detailed information, head over to the exemplary config file.

For CORS to work properly, we encourage to set the following values:

serve:  admin:    cors:      enabled: true      allowed_origins:        - https://example.com        - https://*.example.com      allowed_methods:        - POST        - GET        - PUT        - PATCH        - DELETE      allowed_headers:        - Authorization      exposed_headers:        - Content-Type  public:    cors:      enabled: true      allowed_origins:        - https://example.com        - https://*.example.com      allowed_methods:        - POST        - GET        - PUT        - PATCH        - DELETE      allowed_headers:        - Authorization      exposed_headers:        - Content-Type

Keep in mind that the OAuth 2.0 Authorization Endpoint (/oauth2/auth) does not expose CORS by design. This endpoint should never be consumed in a CORS-fashion. Some endpoints (/oauth2/token, /userinfo, /oauth2/revoke) additionally include URLs listed in field allowed_cors_origins of the OAuth 2.0 Client that is making the request. For example, OAuth 2.0 Client

{  "client_id": "foo",  "allowed_cors_origins": ["https://foo-bar.com/"]}

is allowed to make CORS request to /oauth2/token from origin https://foo-bar.com/ even if that origin is not listed in public.cors.allowed_origins.