ForgeRock Developer Experience

Configure CORS

Applies to:

  • ForgeRock SDK for Android

  • ForgeRock SDK for iOS

  • ForgeRock SDK for JavaScript

Cross-origin resource sharing (CORS) lets user agents make cross-domain server requests. In AM, you can configure CORS to allow browsers from trusted domains to access AM-protected resources. For example, you might want a custom web application running on your own domain to get an end-user’s profile information using the AM REST API.

When trying out the ForgeRock SDKs you run sample applications locally using a DNS alias, such as You need to add accepted origin domains to the configuration based on the DNS alias you give to your apps.

To enable CORS in AM, and create a CORS filter to allow requests from your configured domain names, follow these steps:

  1. Log in to the AM admin UI as an administrator.

  2. Navigate to Configure > Global Services > CORS Service > Configuration, and set the Enable the CORS filter property to true.

    If this property is not enabled, CORS headers are not added to responses from AM, and CORS is disabled entirely.
  3. On the Secondary Configurations tab, click Click Add a Secondary Configuration.

  4. In the Name field, enter ForgeRockSDK.

  5. in the Accepted Origins field, enter any DNS aliases you use for your SDK apps.

    This documentation assumes the following configuration:

    Property Values

    Accepted Origins

    Accepted Methods



    Accepted Headers







    Exposed Headers




  6. Click Create.

    AM displays the configuration of your new CORS filter.

  7. On the CORS filter configuration page:

    1. Ensure Enable the CORS filter is enabled.

    2. Set the Max Age property to 600

    3. Ensure Allow Credentials is enabled.

    sdk cors filter am en
    Figure 1. Example of the completed ForgeRock SDK CORS filter
  8. Click Save Changes.

Copyright © 2010-2023 ForgeRock, all rights reserved.