Based on your application setup (e.g. does it have different URL / ports for frontend and backend) and the selected integration mode, different URLs need to be handled. See the following overview to get specific examples:
  1. Authorized origin
  2. Application URL
  3. Redirect URL
  4. Preview URL
  5. CNAME
  6. Relying Party ID

1. Authorized origin

Required: only for production

Description

The full URL (incl. protocol & port, no path) that the user sees in the browser and from where JavaScript calls to Corbado are made. It’s needed to make CORS requests possible and can be configured in the developer panel.

Example

ProductionDevelopment
https://www.my-application.comAll origins authorized by default

2. Application URL

Required

Description

The location (incl. protocol, port & path) where the web component runs. For example, it’s used to correctly redirect users in email magic links. Often, it’s on the same domain like the authorized origin.
ProductionDevelopment
https://www.my-application.com/loginhttp://localhost:8080/login

3. Redirect URL

Required: only in web component (previous)

Description

Depending on your decision to use Corbado’s session management or your own session management, the Redirect URL has different purposes. In any case, the Redirect URL (incl. protocol, port & path) is the location where the user is redirected to after successful authentication. If you use Corbado’s session management, the Redirect URL receives a short-term session as cookie or header. If you use your own session management, the Redirect URL is appended a corbadoAuthToken as GET parameter (query string).

Example

ProductionDevelopment

https://www.my-application.com/logged-in

with corbadoAuthToken: https://www.my-application.com/logged-in?corbadoAuthTOken= 5FClU6XEWynC4dQ2W34LGERlHYGPe8PHs9zUhxgrSbVj9FNupp5lE5z4lMoRpDlP

http://localhost:8080/logged-in

with corbadoAuthToken: http://localhost:8080/logged-in?corbadoAuthToken= 5FClU6XEWynC4dQ2W34LGERlHYGPe8PHs9zUhxgrSbVj9FNupp5lE5z4lMoRpDlP:8080

4. Preview URL

Provided by Corbado

Description

The location (incl. protocl, port & path) where your preview runs (https://<project ID>.preview.cloud.corbado.io).

5. CNAME

Required: only in production, when using corbado session management

Description

THE CNAME DNS address (no protocol, port or path) that can be used instead of Corbado’s default Frontend API URL. The CNAME needs to point to “<Project-ID>.frontendapi.cloud.corbado.io”.

Example

ProductionDevelopment
login.my-application.com-

6. Relying Party ID

Required: yes

Description

The Relying Party ID is the domain (no protocol, port or path) where passkeys are bound to. By default it will be set to localhost. Passkeys are bound to your relying party ID, meaning they can only be used on matching domains. Matching domains means that it’s either the same or a subdomain of the Relying Party ID.

Example

ProductionDevelopment
my-application.comlocalhost
Changing the relying party ID will invalidate all existing passkeys. Though, reverting a change will restore the passkeys.