Back to Docusign.com
Hi there,
We have an application configured with Public Authorization Code Grant using PKCE and so far the development integration is working fine. However, once the integration key was promoted to production and the configuration options for the key were set up (redirect uris and cors origin urls), we see the following error on the browser console when doing the “/oauth/token” call:
Access to XMLHttpRequest at 'https://account.docusign.com/oauth/token' from origin 'https://<my_app_origin> has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
The call itself returns a 400 error with an empty response.
The setup of our production Integration key is exactly the same as the key in the development environment, with one exception: in the Docusign production account we don’t see the option “Allow CORS for OAuth calls”.
We have tested that when using the Docusign development account:
- If we have enabled CORS at the account level, then the “Allow CORS for OAuth calls” in the integration key must be enabled as well for the authentication to succeed.
- If we don’t have enabled CORS at account level, then the “Allow CORS for OAuth calls” option is not needed.
However, when using the Docusign production account, neither with the CORS option at the account level enabled nor disabled we get the error above.
We are sure that the protocol (https) and domains configured in the “Allowed origins” section of the production integration key are correct. Our application code is the same for development than for production.
Could someone help us understand why this is happening?
Thank you in advance!