Configure Trusted Origins

A Trusted Origin is a security-based concept that combines the URI scheme, hostname, and port number of a page. All cross-origin web requests and redirects from Okta to your organization’s websites must be explicitly allowed.

Use the Trusted Origins tab on the Security > API page to grant access to websites that you control and trust to access your Okta org through the Okta API. For developers, see Trusted Origins API.

The following admin configurations require Trusted Origins:

Note

Orgs can use WebAuthn for sign-in pages hosted at Trusted Origins that are different from the org's Okta or custom domain URL. See WebAuthn (MFA).

To add a Trusted Origin:

  1. In the Admin Console, go to Security >API.
  2. Select the Trusted Origins tab.
  3. Click Add Origin.
  4. In the Add Origin dialog, enter Name and Origin URL.
  5. Select the origin Type:
    • CORS – Cross-Origin Resource Sharing (CORS) allows JavaScript hosted on your websites to make an XMLHttpRequest to the Okta API using the Okta session cookie.
      Info

      What is CORS? Cross-origin resource sharing (CORS) is a standard browser feature that allows JavaScript hosted on your websites to make an XMLHttpRequest (XHR) to the Okta API with the Okta session cookie.

    • Redirect – Allows for browser redirection to your org's trusted websites after signing in or out.
  6. Click Save.