# CORS API > Build correct CORS response headers and evaluate preflight requests — without re-reading the spec every time. The headers endpoint turns a simple policy (allowed origins, methods, request headers, whether credentials are allowed, a preflight max-age and any exposed response headers) into the exact set of Access-Control-* headers to return, and it handles the parts people get wrong: you cannot combine a wildcard origin with credentials, so it reflects the specific request origin and adds Vary: Origin instead; it omits the allow-origin header when an origin is not on your list; and it warns when a configuration would not behave as expected. The check endpoint takes an incoming request — its Origin, the (requested) method and the Access-Control-Request-Headers — and tells you whether it would pass CORS, the precise reason if it fails, and the response headers you should send back. Everything is computed locally and deterministically, so it is instant and private. Ideal for API gateways and backends, edge and serverless functions, debugging browser CORS errors, and getting a security policy exactly right. Pure local computation — no key, no third-party service, instant. Live, nothing stored. 3 endpoints. This builds and checks the headers; it does not make a cross-origin request — to inspect a live site's security headers use a security-headers API. ## Authentication All requests require your oanor API key in the `x-oanor-key` header. Get one at https://www.oanor.com/developer/keys. ```bash curl -H "x-oanor-key: oanor_live_…" "https://api.oanor.com/cors-api/..." ``` ## Pricing - **Free** (Free) — 3,435 calls/Mo, 2 req/s - **Starter** ($5/Mo) — 12,950 calls/Mo, 8 req/s - **Pro** ($25/Mo) — 180,500 calls/Mo, 20 req/s - **Mega** ($63/Mo) — 945,000 calls/Mo, 50 req/s ## Endpoints ### CORS #### `GET /v1/check` — Evaluate a CORS request **Parameters:** - `origin` (query, required, string) — The request Origin Example: `https://app.example.com` - `method` (query, optional, string) — The (requested) method Example: `POST` - `request_headers` (query, optional, string) — The Access-Control-Request-Headers list - `origins` (query, optional, string) — Allowed origins (comma list or *) - `methods` (query, optional, string) — Allowed methods - `headers` (query, optional, string) — Allowed request headers - `credentials` (query, optional, string) — true to allow credentials **Example:** ```bash curl -H "x-oanor-key: $KEY" \ "https://api.oanor.com/cors-api/v1/check?origin=https%3A%2F%2Fapp.example.com&method=POST" ``` **Response:** ```json { "data": { "method": "POST", "origin": "https://app.example.com", "allowed": true, "reasons": [], "response_headers": { "Access-Control-Allow-Origin": "*", "Access-Control-Allow-Headers": "Content-Type, Authorization", "Access-Control-Allow-Methods": "GET, POST, PUT, PATCH, DELETE, OPTIONS" } }, "meta": { "timestamp": "2026-06-03T09:25:00.551Z", "request_id": "cef1e3d1-c2ff-4613-9cc4-1eec41db1622" }, "status": "ok", "message": "Evaluate a CORS request", "success": true } ``` #### `GET /v1/headers` — Build CORS headers **Parameters:** - `origins` (query, optional, string) — Allowed origins (comma list or *) — default * Example: `*` - `methods` (query, optional, string) — Allowed methods - `headers` (query, optional, string) — Allowed request headers (or *) - `credentials` (query, optional, string) — true to allow credentials - `max_age` (query, optional, string) — Preflight cache seconds - `expose` (query, optional, string) — Response headers to expose - `origin` (query, optional, string) — A request Origin to reflect/validate Example: `https://app.example.com` **Example:** ```bash curl -H "x-oanor-key: $KEY" \ "https://api.oanor.com/cors-api/v1/headers?origins=%2A&origin=https%3A%2F%2Fapp.example.com" ``` **Response:** ```json { "data": { "origin": "https://app.example.com", "allowed": true, "headers": { "Access-Control-Allow-Origin": "*", "Access-Control-Allow-Headers": "Content-Type, Authorization", "Access-Control-Allow-Methods": "GET, POST, PUT, PATCH, DELETE, OPTIONS" }, "header_string": "Access-Control-Allow-Origin: *\nAccess-Control-Allow-Methods: GET, POST, PUT, PATCH, DELETE, OPTIONS\nAccess-Control-Allow-Headers: Content-Type, Authorization" }, "meta": { "timestamp": "2026-06-03T09:25:00.652Z", "request_id": "e6ad9866-7ba0-4eb1-bb57-6feb132c1ce4" }, "status": "ok", "message": "Build CORS headers", "success": true } ``` ### Meta #### `GET /v1/meta` — Spec **Example:** ```bash curl -H "x-oanor-key: $KEY" \ "https://api.oanor.com/cors-api/v1/meta" ``` **Response:** ```json { "data": { "name": "CORS API", "notes": "A wildcard origin '*' cannot be combined with credentials — reflect a specific origin and add Vary: Origin instead. This builds and checks the headers; it does not make a request. Nothing is stored.", "version": "v1", "endpoints": [ { "path": "/v1/headers", "params": { "expose": "response headers to expose", "origin": "a request Origin to reflect/validate", "headers": "allowed request headers (or *) — default Content-Type, Authorization", "max_age": "preflight cache seconds", "methods": "allowed methods — default GET, POST, PUT, PATCH, DELETE, OPTIONS", "origins": "allowed origins (comma list or *) — default *", "credentials": "true to allow credentials" }, "returns": "the Access-Control-* headers to send" }, { "path": "/v1/check", "params": { "method": "the (requested) method", "origin": "the request Origin (required)", "…policy": "same origins/methods/headers/credentials fields as /v1/headers", "request_headers": "the Access-Control-Request-Headers list" }, "returns": "whether the request is allowed, why not, a …(truncated, see openapi.json for full schema) ``` --- Marketplace page: https://www.oanor.com/api/cors-api OpenAPI spec: https://www.oanor.com/api/cors-api/openapi.json