Can't make fetch requests to api/v1/sessions 🤡

Access to fetch at 'https://dev-550287.okta.com/api/v1/sessions' from origin 'http://localhost:8000' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

I’ve added no-cors but that’s not what I want… The CURL request works fine btw.

Have you added http://localhost:8000 as a Trusted Origin for CORS? With that enabled, does the following request work?

fetch('https://dev-550287.okta.com/api/v1/sessions/me', {credentials: "include"})
  .then((response) => {
    return response.json();
  })
  .then((data) => {
    console.log(data);
  });

Yes I have added that to Trusted Origins.

Yes that fetch does work. I think the sessions endpoint is messed up.

So the fetch code you provided works in browser. I tweaked your code a bit and this throws the error mentioned above:

fetch('https://dev-550287.okta.com/api/v1/sessions', { // changed endpoint
    credentials: 'include',
    method: 'POST', // added this
    body: JSON.stringify({ // and this
        sessionToken,
    }),
})
    .then(response => response.json())
    .then(data => {
        console.log(data)
    })

Adding ‘application/json’ Accept + Content-Type headers doesn’t help.

Hi @corysimmons

The /api/v1/sessions endpoint is not CORS enabled. The best solution would be to do this request through a back-end channel, providing an API call to authenticate te request.