MyWave Authentication Flow & CORS Error

Naama Aharoni
Naama Aharoni
  • Updated

Related error message: “Unable to connect to auth server” / CORS policy blocked preflight request

If you’re seeing a CORS error after uploading a file and clicking “Continue,” it’s likely because the Auth Server is not allowing the JWT token through in the request headers during the browser’s preflight check. This article explains why and how to fix it.

How MyWave Authentication Works

When a user logs into the MyWave Web Client, the system follows this secure authentication flow:

  1. Login & Session Capture – User logs in, and MyWave creates a secure session.
  2. JWT Generation – A JSON Web Token (JWT) is generated to represent the user’s identity and permissions.
  3. Header Injection – The JWT is included in the headers of all requests (GET or POST) made to the Auth Server.
  4. Validation – The Auth Server verifies the JWT before processing the request.

This ensures secure, role-based access to MyWave services.

Issue Observed During File Upload

During a remote session, we encountered the following issue:

  • After uploading a PDF and clicking “Continue”, the system failed to connect to the Auth Server.
  • This failure was caused by the browser blocking the JWT in the request headers due to a CORS (Cross Origin Resource Sharing) policy issue.

Sample error message:

Access to XMLHttpRequest at 'https://dummydomain.com/integration/smartlynx-proxy/api/datarequest' from origin 'https://gymsapp01.gymna.be' has been blocked by CORS policy:

Response to preflight request doesn't pass access control check: It does not have HTTP ok status.

Root Cause

Browsers automatically send a CORS preflight request (OPTIONS method) to check whether the actual request (e.g., a POST with a custom header) is safe to send.

In this case:

  • The Auth Server did not include the correct CORS headers in its response.
  • Specifically, it did not allow the Authorization header which contains the JWT.
  • As a result, the browser blocked the request, and authentication failed.

How to Fix It

To resolve the issue, the Auth Server must be configured to respond correctly to CORS preflight checks:

Required Header Configurations:

  • Access-Control-Allow-Origin: https://gymsapp01.gymna.be
  • Access-Control-Allow-Methods: GET, POST, OPTIONS
  • Access-Control-Allow-Headers: Authorization, Content-Type
  • Response to preflight (OPTIONS) must return HTTP 200 OK

Make sure these headers are included in the response to both preflight and actual requests.

Infrastructure Note:

If you’re using an API gateway (e.g., NGINX, Apache, or AWS API Gateway), ensure those headers are passed through and not stripped at the proxy layer.

📩 Still Stuck?

If you’re still experiencing issues:

  1. Open the browser console and take a screenshot of the full error message
  2. Note the exact steps taken before the error occurs
  3. Contact our support team with this info

Related to

Was this article helpful?

/

Comments

0 comments

Please sign in to leave a comment.