Expand my Community achievements bar.

CORS Policy Error while calling token API programmatically


Level 3


we’re trying to fetch profile & event details via API. To establish a connection with AEP, we are using token api to generate token which return CORS policy error. Please note this error occurs only when we try to access token api programmatically. With Postman, it works.


Token API End Point : https://ims-na1.adobelogin.com/ims/exchange/jwt/

Payload : {

“client_id” : “<clientId>”,





Error : 

Access to fetch at 'https://ims-na1.adobelogin.com/ims/exchange/jwt/' from origin '<origin>' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.



5 Replies



@vikash4 once check please if your postman pre-request script is incorporated correctly in your program.


Level 3

Hi @arijitg,

Thanks for your reply. 

Wondering pre-request script is needed to incorporate in program to call token api?

My understanding is we might need some response headers to be defined on the requested resource. Not sure how to add those headers/config on token resource.

We had similar issue with Pega connector which is resolved by adding headers on requested resource in Pega.

Pre-request script is heavily using environment variables and not sure how to incorporate while calling API from JAVA program.

Also, didn't see anything related to pre-request script on Adobe Doc. https://experienceleague.adobe.com/docs/experience-platform/landing/platform-apis/api-authentication...

I feel it should be straight forward without complicating much from API consumer side.



Community Advisor

Hello @vikash4 


The right way to call the API would be in a backend code.

The CORS issue occurs when you call the API on the front end with JS code, which is not secure as it will expose your API credentials.


Suppose you want to use the API on the front end. I suggest creating an API endpoint within your original website to generate the TOKEN so you can do any API call from the backend code without exposing the credentials. With this approach, you won't face the CORS issue because you will use the same domain for the API request.



     Find me on LinkedIn


Level 3

Thanks @Manoj_Kumar_ ,


we were testing these api and quick way was through JS. But now we moved entire code into backend which works. Thanks.