Onemap singapore authentocation error - getToken returning mutiple CORS headers

Trying to authenticate using Onemap Authentication docs

getting CORS error :
Access to XMLHttpRequest at ‘’ from origin ‘http://localhost:81’ has been blocked by CORS policy: The ‘Access-Control-Allow-Origin’ header contains multiple values ', ', but only one is allowed.

Tried using Ajax, post, used jquery, NodeJS
Deployed in local IIS and tried removing headers in webconfig, IIS HTTPResponseHeaders, Not working.

In Developer tool Network trace and Using postman, can see two headers in response:

@Justin.OneMap @onemap3

As far as I understand the headers have to be removed from Onemap side when sending the response.
Is there a way I can remove the getToken response headers before it hitting my browser?

Hi Sanchit, your problem may be elsewhere. This works for me. (See screenshot below)

Furthermore, you should NOT be using AJAX or JQuery to make these calls, because it implies you are encoding your username and password in the frontend application, which is UNSAFE. You will need to wrap the API call - i.e. write your own API (eg. in NodeJS) that calls OneMap’s API, so that your username and password stay on your server.

This is probably why you encountered the CORS error in the first place.


Hi Edwin,
Agree that using ajax or jquery and putting password and username in front end application might not be safe from the security stand point, but thats not the point of the issue.
The API docs have sample code that calls the api from front end part.


and the return of the API have 2 CORS header… if the API was meant to be used not for front end application then there shouldn’t be any sample code that show user how to use it that way in the first place?

Hi @Sanchit,

You should no longer see multiple CORS headers on the endpoint itself.

Please do let us know if you are still facing any difficulties.

Thank you.