Skip to main content

Cross-Origin Resource Sharing (CORS)

By default, for security reasons, the SCIM interface is published for any server application, but not for client-side (javascript) applications.

In order to allow client-side applications to query or modify SCIM objects, the CORS protocol states how to define the restrictions that apply to client-side applications. CORS settings can be tuned adding two parameters:

Parameter Value

Set a comma separated list of DNS domains allowed to perform SCIM operations.

Set to * to allow access from any domain


Set a comma-separated list of allowed operations.

By default, it is set to GET, OPTIONS, HEAD

To allow any operation, set it to GET, POST, PUT, PATCH, DELETE, OPTIONS, HEAD


These parameters can be changed in real-time for any tenant. Mind that setting these values for the master tenant applies to master tenant, but also applies as default values for any child tenant.