Skip to content
Jetrepo
Esc
navigateopen⌘Jpreview
On this page

Origins and auth

Set HTTPS origins, CORS, cookies, Google callbacks, and domain policy.

Configure all public origins as one identity boundary. A mismatched proxy route, callback, baked Admin URL, CORS origin, or cookie domain can cause sign-in loops.

Access

You need DNS, TLS, reverse-proxy, Google OAuth, and deployment-secret administration.

Map the origins

Value Route target
ADMIN_APP_PUBLIC_URL Admin app port 3000
CORE_API_PUBLIC_URL Core API port 3333
DELIVERY_API_PUBLIC_URL Delivery API port 4000
IMAGOR_PUBLIC_URL Image service port 8000
S3_PUBLIC_URL Object S3 API port 9000

Use origins without a path or trailing slash. Compose appends /graphql to the Delivery URL when building the Admin app.

Register the Google callback exactly:

${CORE_API_PUBLIC_URL}/api/auth/callback/google

Set GOOGLE_ALLOWED_DOMAIN to the one permitted Workspace domain. Email/password sign-in is disabled in this deployment.

Leave AUTH_COOKIE_DOMAIN empty for host-only cookies. Set a parent domain only when reviewed cross-subdomain SSR behavior requires it; this broadens where the session cookie is sent.

Core accepts credentialed CORS requests from its configured trusted Admin origin. Its shipped CORS policy also allows Apollo Studio, so include that public origin in your exposure review. A preview-target origin is a separate trust decision.

Apply and test

  1. Validate interpolation without printing secrets.

    docker compose -f docker-compose.prod.yaml config --quiet
  2. Recreate Core API after origin, OAuth, domain, or cookie changes. Rebuild Admin after either Core or Delivery public URL changes.

  3. Test allowed-domain sign-in, sign-out, token refresh, and Admin server-rendered navigation.

  4. Confirm an account outside the configured Workspace domain is rejected.

  5. Test an Admin-to-Core request through the deployed origins and inspect CORS and cookie behavior without recording credentials.

Rollback must restore proxy, DNS, OAuth callback, origins, and cookie scope as one coherent set, then rebuild Admin again. Diagnose callback mismatch, CORS rejection, cookie scope, and stale baked URLs separately.

Cross-subdomain cookies and live auth-secret rotation have not been production-drilled in repository evidence.

Was this page helpful?