when jwt plugin returns a response with status code 401 because of an expired token, the response doesn’t have a header ‘Access-Control-Allow-Origin: …’ so that web browser can’t access the response by javascript.

i know CORS plugin but don’t want to use CORS plugin.

instead, each upstream server handles CORS.

is it possible to add a header when jwt plugin returns a response?

thank you in advance.

i think i found the solution.

i added ‘kong.response.set_header(“Access-Control-Allow-Origin”, “*”)’ just before response.exit(…) on …/kong/plugins/jwt/handler.lua.

can it cause a problem?

instead, each upstream server handles CORS.

Why not add CORS plugin to kong’s service entity since it represents the upstream server? this way you don’t need to modify the kong source code in case the CORS parameter needs to change.

i misunderstood about the usage of CORS plugin.

now, jwt and CORS plugin both are applied to each api server and then the problem that i mentioned is solved.

i forgot to post that i solved the problem as this way.

thank you for replying.