Browsers block cross-origin requests by default. SIS requires you to explicitly allowlist the origins your app makes requests from before it will respond to browser-initiated calls.
Origins are managed under Environments → [any environment] → CORS. You can add and remove origins from this tab.
CORS origins are shared across all environments. An origin added from the CORS tab of any environment applies to every environment in your organisation. If you add http://localhost:3000 for local development, it will be permitted in production too. Only add origins you intentionally want to allow from all environments.
| Rule | Correct | Incorrect |
|---|
| Include protocol | https://app.yourco.com | app.yourco.com |
| No trailing slash | https://app.yourco.com | https://app.yourco.com/ |
| No path | https://app.yourco.com | https://app.yourco.com/api |
| No wildcards | https://app.yourco.com | https://*.yourco.com |
Common Setup
A standard dev/staging/prod setup typically includes:
http://localhost:3000 ← local development
https://staging.yourco.com ← staging environment
https://app.yourco.com ← production
