Hello wave I m testing an Ory Network setup default dev envi Ory Community #ory-network

Hello :wave:, I’m testing an Ory Network setup (de...

prehistoric-magician-21755

08/14/2025, 12:06 PM

Hello 👋, I’m testing an Ory Network setup (default dev environment) from a Vercel app hosted on a different domain. Is there a way to configure Ory so the cookie is accessible across domains? I've set CORS to accept my vercel domain and it works, but I am getting 401 calling ory due to the cookie not being passed in the request. I've also set the Session cookie settings SameSite to None Any tips, Ideas? below my project config Session:

Copy code

services:
  identity:
    config:
      session:
        cookie:
          domain: <http://agitated-nash-tvg36a035j.projects.oryapis.com|agitated-nash-tvg36a035j.projects.oryapis.com>
          name: ory_session_agitatednashtvg36a035j
          path: /
          persistent: false
          same_site: None


// Also not sure if needed...
services:
  identity:
    config:
      cookies:
        domain: <http://agitated-nash-tvg36a035j.projects.oryapis.com|agitated-nash-tvg36a035j.projects.oryapis.com>
        path: /
        same_site: None

Cors:

Copy code

...      
     serve:        
        public:
          cors:
            allow_credentials: true
            allowed_headers:
            - Accept
            - Content-Type
            - Content-Length
            - Accept-Language
            - Content-Language
            - Authorization
            allowed_methods:
            - POST
            - GET
            - PUT
            - PATCH
            - DELETE
            - CONNECT
            - HEAD
            - OPTIONS
            - TRACE
            allowed_origins:
            - <https://agitated-nash-tvg36a035j.projects.oryapis.com>
            - <https://vercel-test-ory.vercel.app>
            debug: false
            enabled: true
            exposed_headers:
            - Cache-Control
            - Expires
            - Last-Modified
            - Pragma
            - Content-Length
            - Content-Language
            - Content-Type
            max_age: 0
          tls:
            enabled: false
        tls:
          enabled: false

early-magician-18981

08/15/2025, 1:28 AM

I am not sure this will work as they are completely different domains (your app on vercel and the Ory network project url). You may need to use the custom domain feature and create a sub domain on your network. Though if you are using the oryMiddleware in the nextjs SDK it should proxy this. Can you provide a har log of what happens in the browser with all the requests?

bumpy-controller-43157

08/15/2025, 7:07 AM

@early-magician-18981 would configuring ory.example.com work when our app is deployed under foobar.example.com ? We're having the same issue. Our frontend is deployed using nginx to serve static files, and already proxies /api to our backend service. All deployed on GCP cloud run

prehistoric-magician-21755

08/15/2025, 8:32 AM

I am not sure this will work as they are completely different domains (your app on vercel and the Ory network project url). You may need to use the custom domain feature and create a sub domain on your network.

yeap, but I want to test this on the cloud before committing to ory (custom domains require a paid plan).

Though if you are using the oryMiddleware in the nextjs SDK it should proxy this. Can you provide a har log of what happens in the browser with all the requests?

I am using the middelware, but I dont think it proxies calls from the Autogenerated FrontendClient. I want to get a JWT token using the tokenize_as query param, and that can only be called client side (so I need the cookies).

Copy code

const ory = new FrontendApi(
  new Configuration({
    basePath: process.env.NEXT_PUBLIC_ORY_SDK_URL,
    baseOptions: {
      withCredentials: true,
    },
  }),
)
...
const { session } = await ory.toSession({ tokenizeAs: 'myapi' })

the call fails with 401 bc the cookie is just not present from my domain which makes sense.

Copy code

GET '<https://myprojectid.projects.oryapis.com/sessions/whoami?tokenize_as=myapi>  -> 401.

prehistoric-magician-21755

08/15/2025, 2:02 PM

Hey ory team 👋, I was making this issue more complex than it was I noticed getServerSession in Ory Elements (link) doesn’t allow passing a tokenizeAs param to toSession(). This makes it impossible to get a valid JWT via the Ory tokenize mechanism when using the built-in helper. I worked around it by creating my own function:

Copy code

export async function getServerTokenizedSession(tokenizeAs?: string): Promise<Session | null> {
  const cookie = await getCookieHeader()
  return oryClient()
    .toSession({
      cookie,
      tokenizeAs: tokenizeAs || process.env.ORY_SESSION_TOKENIZER || undefined
    })
    .catch(() => null)
}

Would you be open to me sending a PR to add an optional

tokenizeAs

param to

getServerSession()

- and probably the react client element as well - so it can return a session + token in one go? lmk your thoughs

early-magician-18981

08/15/2025, 2:23 PM

@bumpy-controller-43157, Yes that would work if they are on the same root domain with the cookie domain set to the root domain.

Open in Slack