Blog

OAuth2 PKCE, refresh tokens, and CORS at the token endpoint

Public clients use PKCE; refresh flows hit token URLs that must return precise CORS headers for SPAs.

Published: 2025-11-02Updated: 2025-11-051 min read

oauth2pkcecors

Token endpoint CORS

Allow only trusted web origins on the token endpoint; reject wildcard reflection for credentialed flows.

Separate CORS policies for authorization versus token endpoints if they live on different hosts.

Log token endpoint errors without storing refresh token values in plaintext logs.

Alert on abnormal refresh rates per user to detect token theft early.