Local Development for Ory Cloud
As explained in the Ory Security Model description, Ory APIs must be available on the same domain as your application to allow
communication between the systems. When developing locally, your application is often exposed at the localhost
domain.
The easiest way to achieve that is by using the Ory Tunnel. Ory Tunnel is a tool that is a part of the Ory CLI.
Copy the Ory Cloud project slug from your project's Connect page and start the Ory Tunnel:
ory tunnel --project <your-slug> --dev http://localhost:3000
Running this commands opens the 4000
port on your local machine. This address is connected to your Ory Cloud project and its
APIs. The value passed in the --dev
flag must point to the host and port of the application you develop locally. In the example,
the application runs On http://localhost:3000
.
tip
After starting the Tunnel, test it by performing the registration flow: http://localhost:4000/ui/registration
.
You can now start developing locally. Make sure to send any HTTP calls you make to http://localhost:4000
and not
https://<your-slug>.projects.oryapis.com
.
For example, when you configure the Ory SDK (here in NodeJS):
import { Configuration, V0alpha2Api } from "@ory/client"
const sdk = new V0alpha2Api(
new Configuration({
basePath: "http://localhost:4000", // instead of `https://<your-slug>.projects.oryapis.com`
baseOptions: {
withCredentials: true,
},
}),
)
Limitations & Gotchas
Using the Ory Tunnel has a few limitations and gotchas.
localhost
vs 127.0.0.1
Your local machine is usually available on both localhost
and 127.0.0.1
. For the browser these two domains are different
top-level-domains. Cookies set on localhost
will not be sent in requests to 127.0.0.1
and vice versa.
tip
If you encounter cookie issues, make sure that all of your requests are sent to localhost
and not 127.0.0.1
.
Social Sign-In
Currently, setting up social sign-in on localhost
isn't officially supported.
WebAuthn
Currently, WebAuthn isn't officially supported on localhost
. The reason for this is the explicit
origin matching in WebAuthn which is a measure against phishing.