Most Common Cause: Authorized JavaScript Origins Misconfiguration
Identity Management only allows authentication to be initiated from origins you explicitly authorize.
Where to Configure It
In the Piano dashboard, go to:
Edit Business → User Providers → Identity Management → Authorized (tab)
Add your site(s) under Authorized JavaScript Origins (and configure Redirect URIs as needed for your flows).
What to Enter
Enter only the scheme + host (origin). Do not include paths, query strings, or fragments.
|
Format |
Example |
Valid? |
|---|---|---|
|
Scheme + host only |
|
Correct |
|
Scheme + subdomain + host |
|
Correct |
|
Includes a path |
|
Incorrect |
|
Includes a query string |
|
Incorrect |
Subdomains and Environments
-
Add every domain/subdomain where the Piano SDK runs (for example,
https://www.example.com,https://checkout.example.comif applicable). -
If you use both Production and Sandbox setups, avoid configuring the same domain in multiple Identity Management applications/configurations, which can create conflicts.
Verify Your Integration Snippet Includes setPianoIdUrl
Your integration script must point to the Identity Management host, and it must be set before initializing experiences that use Identity Management.
At minimum, ensure these lines are present:
tp.push(['setEndpoint', 'https://buy.tinypass.com/api/v3']);
tp.push(['setPianoIdUrl', 'https://id.piano.io']);
Guidelines:
-
Place
setPianoIdUrlbefore callingtp.pianoId.init()and before initializing/triggering Composer experiences that may open the login modal. -
Remove any duplicate Piano SDK references.
-
Ensure you are not mixing sandbox vs. production endpoints unintentionally.
Check for Browser/Session Cookie Conflicts (Sandbox vs. Production)
If you are logged into Sandbox and Production in the same browser/profile, cookies can conflict and cause cookie auth failures.
Recommended actions:
-
Use separate browsers or separate browser profiles for each environment.
-
Alternatively, use an incognito/private window for one environment.
-
Clear existing Piano-related cookies and retry (to eliminate expired/malformed cookies).
Browser-Side Cookie Restrictions (Safari / iOS / In-App Browsers)
Some browsers (especially Safari and iOS in-app browsers) enforce restrictions (for example, Apple Intelligent Tracking Prevention) that can shorten cookie lifetimes or interfere with JavaScript-set cookies, which may trigger this error even when cookies are "enabled."
To diagnose: Re-test in Chrome or Firefox. If it works there but fails in Safari/iOS, cookie restrictions are likely involved.
Mitigation options vary by implementation, but may include setting cookies in a first-party context (for example, via a custom endpoint or edge worker) so the browser treats them as first-party.
Other Things That Can Block the Cookie Handshake
-
Consent management platforms (CMPs) or ad/content blockers can interfere with cookie writes/reads.
-
Temporarily disable them and re-test to confirm.
-
If You Still See the Error
Collect the following to speed up troubleshooting:
-
The exact page URL where the error occurs (including whether it's sandbox or production)
-
The Authorized JavaScript Origins list currently configured
-
Confirmation that
setPianoIdUrlis present and runs before Identity Management/experience initialization -
Browser + version (and whether it's an in-app browser)
-
Console logs and (if available) a HAR capture reproducing the issue