Skip to content

Cross-origin token redemption allowed only for SPA client-type

Error message

Example error returned by Azure AD (customer identifiers removed):

AADSTS9002326: Cross-origin token redemption is permitted only for the 'Single-Page Application' client-type. Request origin: ''

This typically includes trace and correlation IDs in the original message (redacted here).

Symptoms

  • Browser-based authentication flows fail when exchanging/ redeeming tokens from the frontend, returning AADSTS9002326.
  • The frontend origin is shown in the error as the request origin.

Root cause

The application registration in Azure AD is configured as a Web client-type (or lacks an SPA platform configuration). Cross-origin token redemption from a browser is only allowed for apps registered with the Single-Page Application (SPA) platform in Azure AD. If the app is configured as a Web app, token redemption requests originating from browser JavaScript are blocked.

Resolution

Choose one of the following approaches depending on your architecture:

  1. Register or update the app to include an SPA platform

  2. Portal steps:

    1. In the Azure Portal go to Azure Active Directory -> App registrations and select the application.
    2. Choose Authentication.
    3. Under Platform configurations click Add a platform and select Single-page application.
    4. Add the frontend origin or redirect URI used by your SPA (e.g. https://<your-frontend-host>/ or the exact redirect URI used by MSAL).
    5. Save.
  3. Notes: modern SPAs should use the Authorization Code flow with PKCE (MSAL.js) rather than implicit flow. Ensure your frontend uses an appropriate library (MSAL.js) and the app registration is configured accordingly.

  4. Change the authentication flow to a server-side Web flow

  5. If the application is truly a server-side web app (confidential client), do not perform token redemption from browser scripts. Instead, perform the auth code exchange on the server (confidential client) where CORS restrictions do not apply.

  6. Recreate app registration if necessary

  7. Some teams prefer creating a dedicated SPA app registration rather than modifying an existing Web app registration. If you choose this, update configuration in Azure AD, API permissions, and the frontend client ID accordingly.

Verification checklist

  • [ ] The app registration has a Single-page application platform configured with the correct frontend origin/redirect URI
  • [ ] Frontend uses Authorization Code + PKCE (MSAL) for SPA flows
  • [ ] Browser authentication completes and tokens are redeemable without AADSTS9002326

Notes and references

  • Microsoft guidance: https://learn.microsoft.com/azure/active-directory/develop/v2-oauth2-auth-code-flow
  • MSAL.js docs for SPAs: https://learn.microsoft.com/azure/active-directory/develop/msal-js-overview