We’ve migrated our documentation to a new site, which means some URLs have changed.
Subscriptions

How Do I Troubleshoot "Opening the Identity Management Screen Is Forbidden" in Identity Management?

Most Common Cause: Authorized JavaScript Origins Misconfiguration

Identity Management only allows authentication to be initiated from origins you explicitly authorize.

Where to Configure It

In the Piano dashboard, go to:

Edit Business → User Providers → Identity Management → Authorized (tab)

Add your site(s) under Authorized JavaScript Origins (and configure Redirect URIs as needed for your flows).

What to Enter

Enter only the scheme + host (origin). Do not include paths, query strings, or fragments.

Format

Example

Valid?

Scheme + host only

https://example.com

Correct

Scheme + subdomain + host

https://www.example.com

Correct

Includes a path

https://example.com/path

Incorrect

Includes a query string

https://example.com/path?x=1

Incorrect

Subdomains and Environments

  • Add every domain/subdomain where the Piano SDK runs (for example, https://www.example.com, https://checkout.example.com if applicable).

  • If you use both Production and Sandbox setups, avoid configuring the same domain in multiple Identity Management applications/configurations, which can create conflicts.

Verify Your Integration Snippet Includes setPianoIdUrl

Your integration script must point to the Identity Management host, and it must be set before initializing experiences that use Identity Management.

At minimum, ensure these lines are present:

tp.push(['setEndpoint', 'https://buy.tinypass.com/api/v3']);
tp.push(['setPianoIdUrl', 'https://id.piano.io']);

Guidelines:

  • Place setPianoIdUrl before calling tp.pianoId.init() and before initializing/triggering Composer experiences that may open the login modal.

  • Remove any duplicate Piano SDK references.

  • Ensure you are not mixing sandbox vs. production endpoints unintentionally.

If you are logged into Sandbox and Production in the same browser/profile, cookies can conflict and cause cookie auth failures.

Recommended actions:

  • Use separate browsers or separate browser profiles for each environment.

  • Alternatively, use an incognito/private window for one environment.

  • Clear existing Piano-related cookies and retry (to eliminate expired/malformed cookies).

Some browsers (especially Safari and iOS in-app browsers) enforce restrictions (for example, Apple Intelligent Tracking Prevention) that can shorten cookie lifetimes or interfere with JavaScript-set cookies, which may trigger this error even when cookies are "enabled."

To diagnose: Re-test in Chrome or Firefox. If it works there but fails in Safari/iOS, cookie restrictions are likely involved.

Mitigation options vary by implementation, but may include setting cookies in a first-party context (for example, via a custom endpoint or edge worker) so the browser treats them as first-party.

  • Consent management platforms (CMPs) or ad/content blockers can interfere with cookie writes/reads.

    • Temporarily disable them and re-test to confirm.

If You Still See the Error

Collect the following to speed up troubleshooting:

  • The exact page URL where the error occurs (including whether it's sandbox or production)

  • The Authorized JavaScript Origins list currently configured

  • Confirmation that setPianoIdUrl is present and runs before Identity Management/experience initialization

  • Browser + version (and whether it's an in-app browser)

  • Console logs and (if available) a HAR capture reproducing the issue

Last updated: