linkCredentials: linking forbidden without first specifying allowed request origins

Hi there,

After anonymous login, I am performing linkCredentials with a Google credentials. I am getting following error

Can you please guide me how to fix this error.


Which SDK are you using?

Can you share the code that you’re using to set this up?

Hi Andrew,

I am using realm-web sdk in react-js.

Following is the code snippet:

import { App, Credentials } from "realm-web";

//Calling initializeRealmApp function from the root react component
const initializeRealmApp = () => {
  const app = new App({ id: process.env.REACT_APP_ID });
  return app;

//performing anonymous login to call some realm functions
const loginAnonymousRealm = () => {
  const app = App.getApp(process.env.REACT_APP_ID);
  const credentials = Credentials.anonymous();
  return app.logIn(credentials);

//Once user chooses to signin with Google
//Google Sdk callback the handleLogin function with "response" object, 
//which contains credential.
//handleLogin function in turn calls loginGoogleRealm function
const loginGoogleRealm = async (response) => {
  const app = App.getApp(process.env.REACT_APP_ID);
  const credential =;
  await app.currentUser.linkCredentials(credential);

Have you checked that everything is set up correctly (with the correct permissions etc.) in your Google app? Any logs on the Google side?

I’m experiencing the same issue with realm-web 1.3.0. Simplified use case:

const user = await app.logIn(Realm.Credentials.anonymous());
await app.emailPasswordAuth.registerUser(email, password);
const credentials = Realm.Credentials.emailPassword(email, password);
await user.linkCredentials(credentials);

The linkCredentials method results in Unhandled Rejection (Error): Request failed (POST linking forbidden without first specifying allowed request origins (status 403)

How do we specify the allowed request origin?

Turns out this is due to a setting in Realm. App Settings > Allowed Request Origins > + Add Allowed Request Origin.