Skip to main content
Overview Public endpoints support CORS for safe browser calls. Defaults
HeaderExample/Value
Access-Control-Allow-Origin* (or configured app URL / allowlist)
Access-Control-Allow-MethodsGET, POST, OPTIONS
Access-Control-Allow-HeadersContent-Type, Authorization, X-Api-Key, Idempotency-Key
Access-Control-Allow-Credentialstrue
Notes
  • Preflight OPTIONS is supported.
  • Prefer server‑side calls for API keys; use CORS only when necessary.