No Access-Control-Allow-Origin' header is present when making a POST request to suspend a user

Im attempting to suspend a user using the User API, however when I execute the request I get the following error message:

"Access to XMLHttpRequest at ‘https://dev-{{domain}}{{userid}}/lifecycle/suspend’ from origin ‘https://localhost:8080’ has been blocked by CORS policy: Response to preflight request doesn’t pass access control check: No ‘Access-Control-Allow-Origin’ header is present on the requested resource."

* user id and domain removed for privacy.

When I execute a GET transaction it works fine - it just seems to be POST requests.

I have included the Access-Control-Allow-Origin in the header as below, but im still getting issues.

const oktaInstance = axios.create({
  baseURL: 'https://dev-{{domain}}',
  timeout: 30000,
  headers: {
    'Accept': 'application/json',
    'Access-Control-Allow-Origin': '*',
    'Content-Type': 'application/json',
    'Authorization': 'SSWS '  + {{key}}

Does anyone have any ideas how I can fix this? Ive added a trusted site to no avail.


Cross Origin Resource Sharing is handled automatically by the browser. You don’t have control over the browser’s CORS “preflight” check. If you look in your browser’s developer tools, you’ll see it’s making an OPTIONS request of your okta org before your POST can happen.

In order for the preflight check to pass, you need to define a Trusted Origin in your Okta Org. If you’re using the Developer Console, you would navigate to: API -> Trusted Origins. If you’re using the Classic UI, you would navigate to: Security -> API and then choose the Trusted Origins tab.

Once you’ve created a Trusted Origin entry with http://localhost:8080, then the preflight check will pass.

Thanks Micah

I’ve tried setting a trusted origin without success. I think the problem is that this particular API function is not CORS enabled because when I tried calling the same function from the server it worked ok but gave me a “not authorised” error.

I have same issue, did you find any resolution to this ?

Hi @bpl18

This endpoint is not CORS enabled. Please feel free to suggest this as a feature enhancement over our community portal >> Product >> Ideas.