CORS issue on /oauth/token request

I first send a non-logged in user to the Hosted Login page through auth0 which redirects them to If a user is logged in, then I gather the authorization code and do the same redirect.

Once in my site, I attempt to gather the access token using the authorization code by asking I then get the error “Response to preflight request doesn’t pass access control check: No ‘Access-Control-Allow-Origin’ header is present on the requested resource. Origin ‘’ is therefore not allowed access.” I have added to the client’s allowed callback URLs, allowed web origins, and allowed origins lists. The goal is to complete a implicit grant flow as described here

I do not know what I am doing wrong. Is this because I am requesting the access code from an http domain instead of an https domain? Why is auth0 rejecting this cross domain call.

Try upgrading to the latest version of whatever SDK you are using. That worked for me with the Lock widget.

Since this is still in development, I was able to do this for testing and everything works as expected. I get my access_token. It seems the only problem is that the response from the /oauth/token endpoint does not contain the proper access-origin-allow header. Is there a setting somewhere in the auth0 dashboard that I missed? Does my audience name parameter in the /oauth/token request need to match the DNS name of the web app?

Thanks for the advice. We made the change upgraded to the latest SDK but get the same error.

Hey there!

Sorry for such huge delay in response! We’re doing our best in providing you with best developer support experience out there, but sometimes our bandwidth is not enough comparing to the number of incoming questions.

Wanted to reach out to know if you still require further assistance?