Getting CORS error while calling okta /v1/token api


AM receiving CORS errors while making a POST request OKTA /v1/token api. am testing from my local angular application, I have added my angular localhost url as trusted origin in OKTA but still getting the same error. API is working fine in postman. Any help is greatly appreciated. Please help me.


Hi @sravan2478! The token endpoint is not CORS enabled see Overview | Okta Developer. Here is an example request from the backend - OpenID Connect & OAuth 2.0 API | Okta Developer.

@sravan2478 correction this endpoint is CORS enabled for PKCE/SPA apps, but it should not require trusted origins. Can you take a screenshot of the CORS error with the network tab showing the call?

1 Like

Thanks a lot Sigama and sorry for late response, I was in other emergency.
Please note that I have already added my origin to trusted origins. Below are error and api details

here is my angular code calling the api

getAccessToken() {
let body = {
‘grant_type’: ‘client_credentials’,
‘scope’: ‘read’

let httpHeaders = new HttpHeaders({
  'Authorization': 'Basic ' + 'MG9hMWZoN29iM2RUOE1VQmc1ZDc6YmI3T3hTTFdfaFhvRmtFRGdEVkhmOXNiTGowZVJfRGRQNkhiQkpKdQ==',
  'accept': 'application/json',
  'cache-control': 'no-cache',
  'content-type': 'application/x-www-form-urlencoded'

let options = { headers: httpHeaders };'', body).subscribe((data: any) => {
}, (err) => {


PS: This is my personal okta developer account so am not worried sharing the details here. Please tell me what am doing wrong as this is working fine from postman and .net application.


At okta end i have created a client_credentials flow application and am using encoded client_Id:Client_secret as authorization key. working fine from postman, am getting access token in response.

for app integration type SPA we do not have client_secret, so how do we retrieve access token in SPA? we have client_id and client_secret in client_crendential flow or web or api. How can retrieve this token from angular. please help.

Check out the following guide about how to use Authorization Code flow with PKCE, to get tokens for your SPA: Implement authorization by grant type | Okta Developer

Thanks Andrea, am aware of Authorization Code flow, my requirement is client credential flow.

It looks like this is client side code – so just curious if you’re seeing a “3rd party cookie” alert in the omnibox – I’ve had issues with that from time to time: