Auth0 Home Blog Docs

CORS Origins not applying correctly



I have two tenants with Auth0. A development one that was created a couple of years ago and a new one created this year. Setting the Allowed Origins (CORS) option on an application is being ignored on the new tenant.

When I execute an OPTIONS request on the new tenant, it doesn’t return the Access-Control-Allow-Origin header. When I repeat the same test against the older tenant, it returns the header correctly.

Has anyone else had problems in this space?


What endpoint? Is this oauth/token?


Its the /co/authenticate endpoint as part of a call to redirect.loginWithCredentials from the auth0-js package version 9.3.1


Did you set the allowed web origins as well?


I have not, and my working tenant has not required that field to be specified. Is this somehow related to the fact that the working tenant still has legacy lock enabled but the new one was created recently and so that option isn’t available and is disabled?. I’m using v9 of auth0-js so I thought I am covered from any legacy lock functionality. But I have not needed to enable custom domains or use the allowed web origins for this to work so far on the other tenant.


Old and new tenants have a different set of rules and configurations. Can you try following our guidance here and let me know how it goes?


Thanks Luis, really appreciate you taking the time to respond to this. My initial reaction is that this sentence makes our current solution incompatible with the new tenant. “Please note that the URLs specified for Allowed Web Origins cannot contain wildcards or relative paths after the domain.”

We’re going to have to completely rethink our Auth0 integration strategy here for what’s been working fine for well over a year. Is there any option for getting a tenant created like for like with the working one? We need the two tenants for compliancy reasons but did not anticipate such vast differences between two Auth0 tenants.

Thanks again.


Can you dm me both tenant names? I’ll see if I can make this happen. I don’t know if this is possible at all, but I’ll forward to the correct people.