Passwordless Cors and/or https requirements?

My application (Vue.js / SPA) requires passwordless auth and I’m trying to test out a simple hello-world to no avail. I’ve gone through all the docs, set up my code as shown here:

I get my auth code via SMS successfully, but when calling passwordlessLogin(), I get this error in Chrome:

Access to XMLHttpRequest at ‘’ from origin ‘http://localhost:8080’ has been blocked by CORS policy: Response to preflight request doesn’t pass access control check: No ‘Access-Control-Allow-Origin’ header is present on the requested resource

Same issue whether using Custom UI or Lock. Also same issue whether using HTTPS or even a custom domain/host on my local machine (

And of course, don’t ask: yes I have my URL (http://localhost:8080) set as a Callback in my Application Settings, and also in the Allow Origins CORS section (supposedly redundant, but whatev).

Pulling hair out, wasting hours… what am I missing???

You mention you added the origin http://localhost:8080 in the Allowed Callback URLs and in the Allow Origins (CORS) (they are not redundant) but I have to ask… Did you add the origin to the Allowed Web Origins setting? That’s the one required for the Cross-Origin Authentication (/co/authenticate) protocol to work.

Holy cow. Total noob, yes, that was it. I obviously knew the importance of setting the URLs in there, but I was hyper-focused the one labeled “CORS” and not the “Web” origins.


Now to figure out how to disable “consent” when the login is made from my known domain, 1st-party app…

1 Like

Take a look here, but you can’t skip the consent dialog if using localhost.

Wow, yes, that would have been a head scratcher regarding localhost.

I tried it by setting a local custom domain as a test and indeed, the consent screen was skipped!

Many thanks!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.