KB-1976 Calls to Appian WebAPI fails with 401 unauthorized in Postman


WebAPI calls to Appian via Postman fail with HTTP 401 unauthorized, even if the WebAPI requires no authentication.

The following error also appears in the application server log:

ERROR com.appiancorp.security.cors.CorsFilter - CORS request rejected; invalid request from <IP ADDRESS> to /webapi javax.servlet.ServletException: CORS origin denied fhbjgbiflinjbdggehcddcbncdddomop not on allowed list:[]


The domain fhbjgbiflinjbdggehcddcbncdddomop is used by Postman to access Appian, which has not been added to the CORS list within Appian.


Add fhbjgbiflinjbdggehcddcbncdddomop to the CORS list under Embedded Interfaces in the Admin Console.

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: August 2019