CORS error ("xxx is not allowed by Access-Control-Allow-Headers in preflight response")

Hello,
we are experiencing an issue on our app when it tries to call the /token API, we get the following CORS error:
x-datadog-origin is not allowed by Access-Control-Allow-Headers in preflight response
As a context, we have a React application that connects to our custom domain on auth0 using the SDK and the silent login. That app adds Datadog headers on every external request to enable monitoring tasks but these headers are not declared in CORS headers received after the preflight, thus the connection is refused.
Where and how can we declare these headers in Auth0? Note that we correctly configured the rest of our CORS allowed origins in the Auth0 application.

We’re experiencing the same thing with Sentry after updating their client SDK to v7, which adds baggage and sentry-trace headers to all requests. Is there any guidance for how to allow these headers in auth0 requests?

After some more research, it appears Sentry has added an option to only attach the headers to a matched list of endpoints. https://develop.sentry.dev/sdk/performance/#tracepropagationtargets

@rquelen did you ever find an answer to this? I’m now hitting the same problem and don’t see anywhere to configure Access-Control-Allow-Headers

1 Like

Was anybody able to fix this? Having the exact same issue as OP.