Skip to main content

Setting up cross-origin resource sharing (CORS)

Ory Kratos' Public API supports CORS out of the box. A reference for this configuration can be found in the Configuration Reference.

For CORS to work properly, we encourage to set the following values:

serve:
  public:
    cors:
      enabled: true
      allowed_origins:
        - https://example.org
        - https://*.example.org
      allowed_methods:
        - POST
        - GET
        - PUT
        - PATCH
        - DELETE
      allowed_headers:
        - Authorization
        - Cookie
        - Content-Type
      exposed_headers:
        - Content-Type
        - Set-Cookie