Blog

Swagger UI: OAuth2 redirects, CORS on token and authorize endpoints, and PKCE with browser-based flows

Swagger UI runs in the browser—your OpenAPI spec’s `servers` URLs must match CORS Allow-Origin for try-it-out requests.

Published: 2027-09-20Updated: 2027-09-221 min read

swagger-uioauth2cors

Standalone distribution

Docker images bundle static assets—inject CORS headers at the reverse proxy, not only inside the API container.

Deep linking to operations can open cross-origin iframes—verify sandbox attributes.

When using apiKey in headers, preflight still applies for non-simple header names—document Allow-Headers.

Client credentials flow is server-only—do not expose secrets in Swagger UI.