diff --git a/Cargo.lock b/Cargo.lock
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -2902,6 +2902,7 @@
  "tonic 0.9.2",
  "tonic-build 0.9.2",
  "tonic-web",
+ "tower",
  "tower-http",
  "tracing",
  "tracing-subscriber",
diff --git a/Cargo.toml b/Cargo.toml
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -100,3 +100,4 @@
 url = "2.5"
 uuid = "1.3"
 wasm-bindgen = "0.2"
+tower = "0.4"
diff --git a/services/identity/Cargo.toml b/services/identity/Cargo.toml
--- a/services/identity/Cargo.toml
+++ b/services/identity/Cargo.toml
@@ -42,6 +42,7 @@
 reqwest = { workspace = true, features = ["json", "rustls-tls"] }
 futures = { workspace = true }
 url = { workspace = true }
+tower = { workspace = true }
 
 [build-dependencies]
 tonic-build = "0.9.1"
diff --git a/services/identity/src/constants.rs b/services/identity/src/constants.rs
--- a/services/identity/src/constants.rs
+++ b/services/identity/src/constants.rs
@@ -310,11 +310,12 @@
   pub const DEFAULT_MAX_AGE: Duration = Duration::from_secs(24 * 60 * 60);
   pub const DEFAULT_EXPOSED_HEADERS: [&str; 3] =
     ["grpc-status", "grpc-message", "grpc-status-details-bin"];
-  pub const DEFAULT_ALLOW_HEADERS: [&str; 11] = [
+  pub const DEFAULT_ALLOW_HEADERS: [&str; 12] = [
     "x-grpc-web",
     "content-type",
     "x-user-agent",
     "grpc-timeout",
+    "authorization",
     super::request_metadata::CODE_VERSION,
     super::request_metadata::STATE_VERSION,
     super::request_metadata::MAJOR_DESKTOP_VERSION,
diff --git a/services/identity/src/websockets/mod.rs b/services/identity/src/websockets/mod.rs
--- a/services/identity/src/websockets/mod.rs
+++ b/services/identity/src/websockets/mod.rs
@@ -15,6 +15,7 @@
 };
 use serde::{Deserialize, Serialize};
 use tokio::net::TcpListener;
+use tower::ServiceBuilder;
 use tracing::{debug, error, info, warn};
 
 mod auth;
@@ -26,6 +27,7 @@
   error_types, IDENTITY_SEARCH_INDEX, IDENTITY_SEARCH_RESULT_SIZE,
   IDENTITY_SERVICE_WEBSOCKET_ADDR, SOCKET_HEARTBEAT_TIMEOUT,
 };
+use crate::cors::cors_layer;
 use opensearch::OpenSearchResponse;
 use send::{send_message, WebsocketSink};
 pub mod errors;
@@ -108,7 +110,12 @@
   while let Ok((stream, addr)) = listener.accept().await {
     let db_client = db_client.clone();
     let connection = http
-      .serve_connection(stream, WebsocketService { addr, db_client })
+      .serve_connection(
+        stream,
+        ServiceBuilder::new()
+          .layer(cors_layer())
+          .service(WebsocketService { addr, db_client }),
+      )
       .with_upgrades();
 
     tokio::spawn(async move {