CORS issue with JWT auth


I’m trying out the JWT access control feature using a third-party identity provider (centralized JWT). It’s working beautifully with Postman doing GETS, but now we have issues passing the pre-flight checks in our web application (CORS). Up until now we’ve been using Keyless and CORS not enabled. The downstream provider was handling CORS. When I set the authentication mode to Basic or back to Open it works, it just seems to be the JWT setting. Any help is appreciated.



1 Like

When you have CORS enabled you need to be very explicit with regards to what headers to allow and what methods to allow.

Also, either Tyk handles CORS or your upstream service does, they are mutually exclusive, if your upstream service does it and you have Tyk doing it then you will get duplicate headers which can cause further problems.

I would suggest looking at the pre-flights in your network consol to see what headers are being requested and make sure they are allowed, hats usually the snag when enabling CORS with Tyk.

Thanks for the quick reply. We actually don’t have CORS enabled in the Tyk configuration.

Then Tyk isn;t getting in your way, you might just need to set “OPTIONS pass through” to enabled (but do not enable the “enable CORS” option)

This will basically pass through CORS pre-flights to your upstream app to deal with.

1 Like

That seems to be it exactly. Thanks.

1 Like