No 'Access-Control-Allow-Origin' header is present on the requested resource

I am trying to get protected APIs working and have followed the instructions [here] ( but I receive a 401 error:

Failed to load No ‘Access-Control-Allow-Origin’ header is present on the requested resource. Origin ‘hosted-website-name’ is therefore not allowed access. The response had HTTP status code 401. If an opaque response serves your needs, set the request’s mode to ‘no-cors’ to fetch the resource with CORS disabled.

I did not change anything that was not told to change from the instructions. I have added the website URL to the Allowed Callback URLs, Allowed Web Origins, and Allowed Origins (CORS).

Any ideas on how to fix this issue? Thanks!

For cors to work for auth failures you need to set this in your resources

Super odd, but a quirk of how custom authorizers work in AWS.

Thanks for the response but unfortunately that did not change the output.

Interestingly, the ‘live demo’ they have in their readme is giving me the same error. I created the demo account using a email and password that I verified:

Looks like my once working code is broken =(((

Change the ResponseType to UNAUTHORIZED

      Type: 'AWS::ApiGateway::GatewayResponse'
          gatewayresponse.header.Access-Control-Allow-Origin: "'*'"
          gatewayresponse.header.Access-Control-Allow-Headers: "'*'"
        ResponseType: UNAUTHORIZED
          Ref: 'ApiGatewayRestApi'
        StatusCode: '401'

I managed to get this working.

The JWT validation is failing in the authorizer right now… I’m unclear as to why

See the PR here

That fixes the CORS issue.

However, the JWT I get back from auth0 is no longer validating.

You can sls logs -f auth -t to tail the auth logs to see the jwt verification failing.

I’ve had many issues with auth0 as of late and it’s starting to get on my nerves

Fixed it!

JWT secret needed to be base 64 decoded to validate the jwt.

Demo is working again