--- title: CORS support for OAuth endpoints description: PingFederate supports cross-origin resource sharing (CORS) for several OAuth endpoints. component: pingfederate version: 13.0 page_id: pingfederate:introduction_to_pingfederate:pf_cors_support_oauth_endpoints canonical_url: https://docs.pingidentity.com/pingfederate/13.0/introduction_to_pingfederate/pf_cors_support_oauth_endpoints.html revdate: July 3, 2025 section_ids: related-links: Related links --- # CORS support for OAuth endpoints PingFederate supports cross-origin resource sharing (CORS) for several OAuth endpoints. The supported OAuth endpoints include: * `/as/token.oauth2` * `/as/revoke_token.oauth2` * `/idp/userinfo.openid` * `/pf-ws/rest/oauth/grants/` * `/pf/JWKS` * `/.well-known/openid-configuration` * `/as/bc-auth.ciba` As needed, administrators can add or remove allowed origins using the administrative console on the **Authorization Server Settings** page. Find instructions on how to add and remove allowed origins in [Configuring authorization server settings](../administrators_reference_guide/help_authorizationserversettingstasklet_oauthauthorizationserversettingsstate.html). After they are configured, client-side web applications from the trusted origins are allowed to make requests to the PingFederate authorization server for the purpose of accessing protected resources, such as obtaining or renewing access tokens with refresh tokens, presenting access tokens for revocation, querying additional claims (user attributes), and retrieving OpenID Provider configuration information and JavaScript Object Notation (JSON) *(tooltip: \
\

An open, lightweight data-interchange format that uses human-readable text to store and transmit data.\

\
)* Web Key Sets. ## Related links * [Configuring authorization server settings](../administrators_reference_guide/help_authorizationserversettingstasklet_oauthauthorizationserversettingsstate.html) * [W3C's recommendation on Cross-Origin Resource Sharing](https://fetch.spec.whatwg.org/#http-cors-protocol)