Loading
Salesforce now sends email only from verified domains. Read More
Identify Your Users and Manage Access
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Enable CORS for OAuth Endpoints

            You are here:

            1. Salesforce Help
            2. Docs
            3. Identify Your Users and Manage Access

            Enable CORS for OAuth Endpoints

            Web applications use Cross-Origin Resource Sharing (CORS) to request resources from origins other than their own. For example, a web page can use CORS to request information about a user from your My Domain login URL or Experience Cloud site URL. In addition to public and allowlisted web pages, Salesforce supports CORS for certain OAuth endpoints when requested from a My Domain login URL or Experience Cloud site URL.

            Required Editions

            Available in: both Salesforce Classic and Lightning Experience
            Available in: All Editions
            User Permissions Needed
            To create, read, update, and delete: Modify All Data AND Customize Application

            CORS is automatically enabled for these endpoints.

            • /.well-known/openid-configuration
            • /.well-known/auth-configuration
            • /services/oauth2/id/keys

            In addition, you can enable CORS for the /services/oauth2/userinfo endpoint by adding the origin URL of the web application serving the code to the CORS allowlist.

            You can also enable CORS for these endpoints by selecting the Enable CORS for OAuth endpoints checkbox. Salesforce supports CORS for these endpoints only for certain host domains.

            EndpointSupported Host Domains for CORS
            /services/oauth2/token My Domain or Experience Cloud site URLs
            /services/oauth2/revoke My Domain or Experience Cloud site URLs
            /services/oauth2/introspect My Domain or Experience Cloud site URLs
            services/oauth2/authorize My Domain or Experience Cloud site URLs
            services/oauth2/pkce/generator My Domain or Experience Cloud site URLs
            services/auth/headless/init/registration Experience Cloud site URLs only
            services/auth/headless/init/passwordless/login Experience Cloud site URLs only
            services/auth/headless/forgot_password Experience Cloud site URLs only
            Warning
            Warning Some OAuth authorization flows contain a consumer secret. We strongly recommend that you protect the consumer secret from being exposed to end users.

            To enable CORS for the endpoints listed in the table, take these steps.

            1. From Setup, in the Quick Find box, enter CORS, and then select CORS.
            2. Add the origin URL of the web application serving the code to a CORS allowlist.
            3. In the Cross-Origin Resource Sharing (CORS) Policy Settings section, click Edit.
            4. Select Enable CORS for OAuth endpoints.
            5. Save your work.
             
            Loading
            Salesforce Help | Article