Configure Trusted Origins
A Trusted Origin is a security-based concept that combines the URI scheme, hostname, and port number of a page. All cross-origin web requests and redirects from Okta to your organization’s websites must be explicitly allowed.
Use the Trusted Origins tab on the Security > API page to grant access to websites that you control and trust to access your Okta org through the Okta API. For developers, see Trusted Origins API.
The following admin configurations require Trusted Origins:
Orgs can use WebAuthn for sign-in pages hosted at Trusted Origins that are different from the org's Okta or custom domain URL. WebAuthn, however, requires the HTTPS protocol. Specify HTTPS, and not HTTP, when you configure a Trusted Origin for this use case.
To add a Trusted Origin:
- In the Admin Console, go to .
- Select the Trusted Origins tab.
- Click Add Origin.
In the Add Origin dialog, enter Name and Origin URL.
Supported schemes are HTTP, HTTPS, FTP, Ionic 2, and Capacitor.
- Select the origin Type:
- Redirect – Allows for browser redirection to your org's trusted websites after signing in or out.
- iFrame embed (origin) - Allows iFrame embedding of Okta sign-in pages, Okta resources, Okta End-User Dashboard. See Trusted Origins for iFrame embedding.
- Click Save.