Origins and auth
Set HTTPS origins, CORS, cookies, Google callbacks, and domain policy.
Configure all public origins as one identity boundary. A mismatched proxy route, callback, baked Admin URL, CORS origin, or cookie domain can cause sign-in loops.
Access
You need DNS, TLS, reverse-proxy, Google OAuth, and deployment-secret administration.
Map the origins
| Value | Route target |
|---|---|
ADMIN_APP_PUBLIC_URL |
Admin app port 3000 |
CORE_API_PUBLIC_URL |
Core API port 3333 |
DELIVERY_API_PUBLIC_URL |
Delivery API port 4000 |
IMAGOR_PUBLIC_URL |
Image service port 8000 |
S3_PUBLIC_URL |
Object S3 API port 9000 |
Use origins without a path or trailing slash. Compose appends /graphql to the Delivery URL when building the Admin app.
Register the Google callback exactly:
${CORE_API_PUBLIC_URL}/api/auth/callback/google
Set GOOGLE_ALLOWED_DOMAIN to the one permitted Workspace domain. Email/password sign-in is disabled in this deployment.
Choose cookie scope
Leave AUTH_COOKIE_DOMAIN empty for host-only cookies. Set a parent domain only when reviewed cross-subdomain SSR behavior requires it; this broadens where the session cookie is sent.
Core accepts credentialed CORS requests from its configured trusted Admin origin. Its shipped CORS policy also allows Apollo Studio, so include that public origin in your exposure review. A preview-target origin is a separate trust decision.
Apply and test
-
Validate interpolation without printing secrets.
docker compose -f docker-compose.prod.yaml config --quiet -
Recreate Core API after origin, OAuth, domain, or cookie changes. Rebuild Admin after either Core or Delivery public URL changes.
-
Test allowed-domain sign-in, sign-out, token refresh, and Admin server-rendered navigation.
-
Confirm an account outside the configured Workspace domain is rejected.
-
Test an Admin-to-Core request through the deployed origins and inspect CORS and cookie behavior without recording credentials.
Rollback must restore proxy, DNS, OAuth callback, origins, and cookie scope as one coherent set, then rebuild Admin again. Diagnose callback mismatch, CORS rejection, cookie scope, and stale baked URLs separately.
Cross-subdomain cookies and live auth-secret rotation have not been production-drilled in repository evidence.