diff --git a/api/v1alpha1/oauth2client_types.go b/api/v1alpha1/oauth2client_types.go
index ad79d0f..07bc974 100644
--- a/api/v1alpha1/oauth2client_types.go
+++ b/api/v1alpha1/oauth2client_types.go
@@ -91,6 +91,9 @@ type OAuth2ClientSpec struct {
 	// PostLogoutRedirectURIs is an array of the post logout redirect URIs allowed for the application
 	PostLogoutRedirectURIs []RedirectURI `json:"postLogoutRedirectUris,omitempty"`
 
+	// AllowedCorsOrigins is an array of allowed CORS origins
+	AllowedCorsOrigins []RedirectURI `json:"allowedCorsOrigins,omitempty"`
+
 	// Audience is a whitelist defining the audiences this client is allowed to request tokens for
 	Audience []string `json:"audience,omitempty"`
 
@@ -185,6 +188,7 @@ func (c *OAuth2Client) ToOAuth2ClientJSON() *hydra.OAuth2ClientJSON {
 		ResponseTypes:           responseToStringSlice(c.Spec.ResponseTypes),
 		RedirectURIs:            redirectToStringSlice(c.Spec.RedirectURIs),
 		PostLogoutRedirectURIs:  redirectToStringSlice(c.Spec.PostLogoutRedirectURIs),
+		AllowedCorsOrigins:      redirectToStringSlice(c.Spec.AllowedCorsOrigins),
 		Audience:                c.Spec.Audience,
 		Scope:                   c.Spec.Scope,
 		Owner:                   fmt.Sprintf("%s/%s", c.Name, c.Namespace),
diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
index 164291a..40dfc27 100644
--- a/api/v1alpha1/zz_generated.deepcopy.go
+++ b/api/v1alpha1/zz_generated.deepcopy.go
@@ -121,6 +121,11 @@ func (in *OAuth2ClientSpec) DeepCopyInto(out *OAuth2ClientSpec) {
 		*out = make([]RedirectURI, len(*in))
 		copy(*out, *in)
 	}
+	if in.AllowedCorsOrigins != nil {
+		in, out := &in.AllowedCorsOrigins, &out.AllowedCorsOrigins
+		*out = make([]RedirectURI, len(*in))
+		copy(*out, *in)
+	}
 	if in.Audience != nil {
 		in, out := &in.Audience, &out.Audience
 		*out = make([]string, len(*in))
diff --git a/config/crd/bases/hydra.ory.sh_oauth2clients.yaml b/config/crd/bases/hydra.ory.sh_oauth2clients.yaml
index e8aec8a..0573a37 100644
--- a/config/crd/bases/hydra.ory.sh_oauth2clients.yaml
+++ b/config/crd/bases/hydra.ory.sh_oauth2clients.yaml
@@ -387,6 +387,12 @@ spec:
           type: object
         spec:
           properties:
+            allowedCorsOrigins:
+              description: AllowedCorsOrigins is an array of allowed CORS origins
+              items:
+                pattern: \w+:/?/?[^\s]+
+                type: string
+              type: array
             audience:
               description: Audience is a whitelist defining the audiences this client
                 is allowed to request tokens for
diff --git a/hydra/types.go b/hydra/types.go
index 8bd3f7e..24de0cf 100644
--- a/hydra/types.go
+++ b/hydra/types.go
@@ -14,6 +14,7 @@ type OAuth2ClientJSON struct {
 	GrantTypes              []string        `json:"grant_types"`
 	RedirectURIs            []string        `json:"redirect_uris,omitempty"`
 	PostLogoutRedirectURIs  []string        `json:"post_logout_redirect_uris,omitempty"`
+	AllowedCorsOrigins      []string        `json:"allowed_cors_origins,omitempty"`
 	ResponseTypes           []string        `json:"response_types,omitempty"`
 	Audience                []string        `json:"audience,omitempty"`
 	Scope                   string          `json:"scope"`