--- title: Configuring CORS for FAPI description: Configure CORS in PingOne Advanced Identity Cloud to allow cross-domain requests from PingGateway when using FAPI component: pinggateway version: 2026 page_id: pinggateway:fapi:cors canonical_url: https://docs.pingidentity.com/pinggateway/2026/fapi/cors.html revdate: 2025-09-08T17:46:50Z --- # Configuring CORS for FAPI FAPI clients make their requests through PingGateway. This includes requests to authenticate end users in the process of getting an ID token. The end user authenticates through the PingOne Advanced Identity Cloud end-user UI. End-user authentication involves a cross-domain request from the PingGateway domain to the PingOne Advanced Identity Cloud domain. [Cross-origin resource sharing](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS) (CORS) lets user-agents make cross-domain server requests. Follow these steps to allow cross-domain requests from PingGateway to PingOne Advanced Identity Cloud: 1. Sign on to the Advanced Identity Cloud admin UI as an administrator. 2. [Create a custom CORS configuration](https://docs.pingidentity.com/pingoneaic/tenants/configure-cors.html#create-a-new-cors-configuration) with the following settings. | | | | - | ------------------------------------------------ | | | CORS configurations apply for all tenant realms. | | Setting | Use | | ---------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Name | `FAPI` | | Accepted Origins | The PingGateway endpoint, such as `https://gateway.example.com:8443` | | Accepted Methods | `DELETE` `FETCH` `GET` `OPTIONS` `PATCH` `POST` `PUT` | | Accepted Headers | The Cookie name for your tenant (`iPlanetDirectoryPro` by default for self-hosted AM) `accept-api-version` `accept-encoding` `accept-language` `accept` `authority` `authorization` `content-type` `cookie` `method` `path` `referer` `scheme` `sec-ch-ua-mobile` `sec-ch-ua-platform` `sec-ch-ua` `sec-fetch-dest` `sec-fetch-mode` `sec-fetch-site` `sec-fetch-user` `upgrade-insecure-requests` `user-agent` `x-forgerock-transactionid` `x-requested-with` | | Exposed Headers (under Show advanced settings) | `access-control-allow-origin` `cache-control` `content-api-version` `content-language` `content-length` `content-type` `date` `etag` `expires` `last-modified` `pragma` `set-cookie` `strict-transport-security` `x-content-type-options` `x-forgerock-transactionid` `x-frame-options` | 3. Click Save CORS Configuration. You have successfully configured CORS for FAPI.