Access token endpoint taken away?

I’m having an issue with access tokens (or maybe it’s just my understanding of them).
So the user logs in and the getAccessTokenSilently makes an access token depending on the audience - great.
When I’m now trying to get an access token to make a HTTP request to my serverside I use the following code - pretty much copy and pasted (changed to fetch instead of requests) from the settings tab of the API page:

const options = {
method: ‘POST’,
headers: {
‘Content-Type’: ‘application/json’,
body: JSON.stringify({
client_id: ‘CLIENT_ID’,
client_secret: ‘CLIENT_SECRET’,
audience: ‘API_IDENTIFIER’,
grant_type: ‘client_credentials’

    fetch('https://<DOMAIN>/oauth/token', options)
      .then(response => response.json())
      .then(data => console.log(data))
      .catch(error => console.error(error));
But I'm getting a 'has been blocked by CORS policy' error - is this endpoint call been taken away. I'm confused because this was the code that it told me to put in? How do I get an access token with the audience of my API_Identifier.

Hi @arjan.panesar,

The endpoint still works fine for me. Are you making this request locally to your server? I know that some browsers disable CORS for security purposes. There are ways to disable these temporarily for testing purposes.

1 Like

Oh okay. I don’t know if I’m following best practises, I’ve got a react app - so am using PKCE. I’m making the requests to the /oauth/token endpoint from my client (currently I’m doing this on localhost in a test environment).

I tried to disable cors using: chrome.exe --disable-web-security this also didn’t work.

My understanding is that to make get and post requests to my server from my client, having them secured via access tokens, the audiences from both getAccessTokenSilently and auth (from the express-oauth2-jwt-bearer const { auth } = require(‘express-oauth2-jwt-bearer’) have to be the same. But does this require user consent to send to my sever?

I’m basically trying to get an access token clientside to communicate with my server.

In my case I also had to disable GPU and set a temporary data dir for Chrome to accept launching without CORS (example below - adapt your TEMP dir to your liking)

Please note that this mainly applies to testing because of the security concerns coming with disabling cors.

chrome.exe --disable-web-security --disable-gpu --user-data-dir=your_temp_dir_here