Based on the available knowledge sources, Ory Hydra allows you to provide the TLS certificate and key either as file paths or as base64-encoded content via environment variables or in the configuration file. For example, you can use: -

SERVE_TLS_CERT_BASE64

and

SERVE_TLS_KEY_BASE64

for base64-encoded content -

SERVE_TLS_CERT_PATH

and

SERVE_TLS_KEY_PATH

for file paths These can be set as environment variables when running Hydra, including in Docker setups:

sh docker run ... \     -e SERVE_TLS_CERT_BASE64="$SERVE_TLS_CERT_BASE64" \     -e SERVE_TLS_KEY_BASE64="$SERVE_TLS_KEY_BASE64" \     ...

or

sh docker run ... \     -e SERVE_TLS_CERT_PATH="/path/to/cert.crt" \     -e SERVE_TLS_KEY_PATH="/path/to/key.pem" \     ...

[SSL/TLS, HTTPS, self-signed certificates](https://www.ory.sh/docs/hydra/self-hosted/ssl-https-tls) However, the knowledge sources do not mention any CLI flags that allow you to directly supply the TLS certificate or key as file paths or base64 content via the command line (i.e., as arguments to the

hydra serve

commands). The CLI does support loading configuration files via the

--config

flag, and you can set environment variables as shown above, but there is no evidence of direct CLI flags for TLS certificate/key input. Summary: You can supply the TLS certificate and key via environment variables or configuration files, but not directly as CLI flags or arguments. If you need to provide them at runtime, use environment variables or mount the files and reference them in your configuration file or via environment variables. [SSL/TLS, HTTPS, self-signed certificates](https://www.ory.sh/docs/hydra/self-hosted/ssl-https-tls) [Configuration Reference](https://www.ory.sh/docs/hydra/reference/configuration)

@chilly-king-10285 can i pass

--tls-cert

and

--tls-key

flags

I'm sorry, but the knowledge sources do not mention the existence of

--tls-cert

or

--tls-key

flags for the Ory Hydra CLI. According to the documentation, TLS certificates and keys should be provided via environment variables (

SERVE_TLS_CERT_PATH

,

SERVE_TLS_KEY_PATH

,

SERVE_TLS_CERT_BASE64

,

SERVE_TLS_KEY_BASE64

) or through the configuration file, but there is no reference to CLI flags like

--tls-cert

or

--tls-key

for this purpose [SSL/TLS, HTTPS, self-signed certificates](https://www.ory.sh/docs/hydra/self-hosted/ssl-https-tls). If you need to configure TLS, please use the recommended environment variables or configuration file options.

The CORS error you’re seeing (

No 'Access-Control-Allow-Origin' header is present on the requested resource

) typically means that the Ory Tunnel is not allowing requests from your frontend’s origin (`http://localhost:3000`). Here are the key points and troubleshooting steps based on the knowledge sources: 1. Ory Tunnel and CORS Ory Tunnel is designed to mirror Ory APIs on your local machine and handle CORS automatically for local development. When you run:

ory tunnel --project slug-string-here <http://localhost:3000>

it should expose Ory APIs at

<http://localhost:4000>

and allow requests from

<http://localhost:3000>

by default [Ory Tunnel](https://www.ory.sh/docs/cli/ory-tunnel#ory-tunnel). 2. Workspace Parameter The

--workspace

flag is optional and typically not required for most local development scenarios. If your colleague is not using it and CORS works for them, try running the tunnel without the

--workspace

flag:

ory tunnel --project slug-string-here <http://localhost:3000>

This matches the recommended usage in the documentation [Proxy and Tunnel Guide](https://www.ory.sh/docs/guides/cli/proxy-and-tunnel). 3. Consistent Origins Make sure you are always using

localhost

(not mixing

127.0.0.1

and

localhost

), as cookies and CORS treat these as different domains [Local Development](https://www.ory.sh/docs/getting-started/local-development#local-development). 4. Browser Cache Sometimes, CORS issues can be cached by the browser. Try clearing your browser cache or using a private/incognito window. 5. CORS Flags If you need to explicitly allow certain origins, you can use the

--allowed-cors-origins

flag:

ory tunnel --project slug-string-here <http://localhost:3000> --allowed-cors-origins <http://localhost:3000>

However, for local development, this is usually not necessary unless you have changed the default CORS settings [Ory Tunnel Options](https://www.ory.sh/docs/cli/ory-tunnel#options). 6. Check for Configuration Differences Since your colleague’s setup works, compare your Ory project and tunnel command usage to ensure there are no differences in configuration or environment. Summary: Try running the tunnel without the

--workspace

flag, ensure you are using the same domain (

localhost

), and clear your browser cache. If the issue persists, try adding the

--allowed-cors-origins

flag. If none of these steps resolve the issue, there may be a project-specific configuration difference. If you need more detailed troubleshooting, please provide your exact tunnel command and any custom CORS-related configuration you may have set.