CORS error on

I’ve read multiple places that you can use the OAuth2 auth method with where CORS is effectively whitelisted.

However, does this not include I am getting the CORS error (frontend request) from this domain. Since this is necessary to even access the OAuth2-based api domain, if you can’t use the auth server without a CORS error, then the whole thing seems pointless. I hope I’m wrong.


Welcome to the Atlassian developer community @MarkJansen,

When referring to, I think you are referring to the first step in the authorization code flow. The docs refer to that as “Direct the user to the authorization URl”, which is not an API call but a redirect. Your front-end should not be treating it as an API call.

If you are trying to do this entirely from the front-end, the other problem is how your front-end would keep the client secret from being exposed. For front-ends, OAuth authorization code flow is not sufficient. In the OAuth world, the PKCE flow has become popular for front-ends but we (Atlassian) have not implemented that flow.

I’m not sure if all that adds up to good news or bad news.

Actually I’m referring to the second step of the Authorization.
" Exchange authorization code for access token"

This step is an API call, not a redirect as far as I know. Without this one API call working without CORS, it seems that it’s impossible to get what you need to use the CORS-whitelisted services.


Thanks for clarifying. Then it is my 2nd paragraph that stands. The OAuth authorization code flow was not designed for front-end-only clients. It’s a flow for back-end services to get authorization to act on behalf of users.