Using PKCE but the token URI does not allow CORS

I’m trying to use the PKCE flow as I don’t have a server. I’ve gotten through setting up the whole flow with the code challenge and everything only to find out that “No ‘Access-Control-Allow-Origin’ header is present” on the token URI. Here’s the fetch:

await fetch('', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/json'
  body: JSON.stringify({
    client_id: clientId,
    code_verifier: verifier,
    redirect_uri: 'http://localhost:8000/oauth',
    grant_type: 'authorization_code',

I’ve confirmed I’ve set up everything else correctly because just for kicks I tested it with a normal form POST and got an access token. Obviously, that won’t work for applications because the response is JSON and doesn’t redirect back to the application again.

I think for PKCE to work in a browser-based web app, you need to set the CORS header on the token URI.


Currently having this exact issue. Does the API have cors improperly set up for PKCE or is there potentially user error on my end?

This should be fixed now.