Add an external origin to the org's CORS allowlist so JavaScript on that domain can call supported Salesforce APIs from a browser. You configure this in Setup; it takes effect on the next API call.
- Open the CORS Setup page
From Setup, type CORS in the Quick Find box and select CORS. The page lists existing allowed origins and lets you add new ones.
- Create a new origin entry
Select New, then enter the origin URL pattern. Include the HTTPS scheme and the domain, for example https://app.example.com, with an optional port. Use https://*.example.com to cover all direct subdomains.
- Save and verify from the browser
Save the entry. Trigger an API call from your external page and confirm the request succeeds and that Salesforce returns the Access-Control-Allow-Origin header for your origin in the network tab.
- Pair it with authentication
The allowlist only satisfies the browser. Set up a Connected App and an OAuth flow so the call also carries a valid access token, otherwise the request is allowed cross-origin but still fails on auth.
The full origin: scheme plus domain and optional port, no path. Must use HTTPS unless it targets localhost. Match it exactly to what the browser sends.
A single * in front of a second-level domain, such as https://*.example.com, covers all direct subdomains. Mid-string wildcards are not allowed.
Each entry maps to CorsWhitelistEntry and deploys as CorsWhitelistOrigin, so you can source-control the list and promote it between orgs.
- A missing entry surfaces as a browser CORS block or HTTP 403, which is easy to misread as an authentication failure.
- Server-to-server callers (Node, Python, any backend) ignore CORS entirely. Do not add backend hostnames or IPs to the allowlist.
- The origin must match exactly, including https and any port. A scheme or port mismatch silently fails the check.
- A subdomain wildcard trusts every current and future subdomain of that domain, so use it only on a domain you fully control.