Skip to main content
Documentation & User Guides | Fotoware

Authorization of single-page JavaScript web apps (SPA) without back end


A single-page application (SPA) in this context means a pure front-end web application that does not communicate with a back-end other than for loading static resources, such as HTML, JavaScript, etc).

There are three options: 

  • If your web application has a back-end, use the same approach as for web applications and APIs (most secure, requires back-end implementation)
  • Otherwise, enable CORS during application registration and use the same approach as for native applications.
  • Alternatively, use implicit grant (deprecated). If your integration only uses the selection widget and does not make direct API requests, CORS is not required for this approach. This approach is deprecated for security and compliance with OAuth 2.1.

Note: If FotoWeb On-Premises and the integration are hosted on the same domain, then it is not necessary to set up CORS.

Note: We strongly discourage using browser extensions or other means to circumvent or disable the browser's same-origin policy, as this would be a security risk.