{"openapi":"3.1.0","info":{"title":"CORS API","version":"1.0.0","description":"Build correct CORS response headers and evaluate preflight requests — without re-reading the spec every time. The headers endpoint turns a simple policy (allowed origins, methods, request headers, whether credentials are allowed, a preflight max-age and any exposed response headers) into the exact set of Access-Control-* headers to return, and it handles the parts people get wrong: you cannot combine a wildcard origin with credentials, so it reflects the specific request origin and adds Vary: Origin instead; it omits the allow-origin header when an origin is not on your list; and it warns when a configuration would not behave as expected. The check endpoint takes an incoming request — its Origin, the (requested) method and the Access-Control-Request-Headers — and tells you whether it would pass CORS, the precise reason if it fails, and the response headers you should send back. Everything is computed locally and deterministically, so it is instant and private. Ideal for API gateways and backends, edge and serverless functions, debugging browser CORS errors, and getting a security policy exactly right. Pure local computation — no key, no third-party service, instant. Live, nothing stored. 3 endpoints. This builds and checks the headers; it does not make a cross-origin request — to inspect a live site's security headers use a security-headers API.","contact":{"name":"PremiumApi","url":"https://www.oanor.com/by/premiumapi"}},"servers":[{"url":"https://api.oanor.com/cors-api","description":"oanor gateway"}],"tags":[{"name":"CORS"},{"name":"Meta"}],"components":{"securitySchemes":{"oanorKey":{"type":"apiKey","in":"header","name":"x-oanor-key","description":"Get your key at https://www.oanor.com/developer/keys"}}},"security":[{"oanorKey":[]}],"paths":{"/v1/check":{"get":{"operationId":"get_v1_check","tags":["CORS"],"summary":"Evaluate a CORS request","description":"","parameters":[{"name":"origin","in":"query","required":true,"description":"The request Origin","schema":{"type":"string"},"example":"https://app.example.com"},{"name":"method","in":"query","required":false,"description":"The (requested) method","schema":{"type":"string"},"example":"POST"},{"name":"request_headers","in":"query","required":false,"description":"The Access-Control-Request-Headers list","schema":{"type":"string"}},{"name":"origins","in":"query","required":false,"description":"Allowed origins (comma list or *)","schema":{"type":"string"}},{"name":"methods","in":"query","required":false,"description":"Allowed methods","schema":{"type":"string"}},{"name":"headers","in":"query","required":false,"description":"Allowed request headers","schema":{"type":"string"}},{"name":"credentials","in":"query","required":false,"description":"true to allow credentials","schema":{"type":"string"}}],"security":[{"oanorKey":[]}],"responses":{"200":{"description":"OK","content":{"application/json":{"example":{"data":{"method":"POST","origin":"https://app.example.com","allowed":true,"reasons":[],"response_headers":{"Access-Control-Allow-Origin":"*","Access-Control-Allow-Headers":"Content-Type, Authorization","Access-Control-Allow-Methods":"GET, POST, PUT, PATCH, DELETE, OPTIONS"}},"meta":{"timestamp":"2026-06-03T09:25:00.551Z","request_id":"cef1e3d1-c2ff-4613-9cc4-1eec41db1622"},"status":"ok","message":"Evaluate a CORS request","success":true}}}},"401":{"description":"Missing or invalid x-oanor-key header"},"402":{"description":"Active subscription required"},"429":{"description":"Rate-limit or monthly quota reached"},"502":{"description":"Upstream did not respond"}}}},"/v1/headers":{"get":{"operationId":"get_v1_headers","tags":["CORS"],"summary":"Build CORS headers","description":"","parameters":[{"name":"origins","in":"query","required":false,"description":"Allowed origins (comma list or *) — default *","schema":{"type":"string"},"example":"*"},{"name":"methods","in":"query","required":false,"description":"Allowed methods","schema":{"type":"string"}},{"name":"headers","in":"query","required":false,"description":"Allowed request headers (or *)","schema":{"type":"string"}},{"name":"credentials","in":"query","required":false,"description":"true to allow credentials","schema":{"type":"string"}},{"name":"max_age","in":"query","required":false,"description":"Preflight cache seconds","schema":{"type":"string"}},{"name":"expose","in":"query","required":false,"description":"Response headers to expose","schema":{"type":"string"}},{"name":"origin","in":"query","required":false,"description":"A request Origin to reflect/validate","schema":{"type":"string"},"example":"https://app.example.com"}],"security":[{"oanorKey":[]}],"responses":{"200":{"description":"OK","content":{"application/json":{"example":{"data":{"origin":"https://app.example.com","allowed":true,"headers":{"Access-Control-Allow-Origin":"*","Access-Control-Allow-Headers":"Content-Type, Authorization","Access-Control-Allow-Methods":"GET, POST, PUT, PATCH, DELETE, OPTIONS"},"header_string":"Access-Control-Allow-Origin: *\nAccess-Control-Allow-Methods: GET, POST, PUT, PATCH, DELETE, OPTIONS\nAccess-Control-Allow-Headers: Content-Type, Authorization"},"meta":{"timestamp":"2026-06-03T09:25:00.652Z","request_id":"e6ad9866-7ba0-4eb1-bb57-6feb132c1ce4"},"status":"ok","message":"Build CORS headers","success":true}}}},"401":{"description":"Missing or invalid x-oanor-key header"},"402":{"description":"Active subscription required"},"429":{"description":"Rate-limit or monthly quota reached"},"502":{"description":"Upstream did not respond"}}}},"/v1/meta":{"get":{"operationId":"get_v1_meta","tags":["Meta"],"summary":"Spec","description":"","parameters":[],"security":[{"oanorKey":[]}],"responses":{"200":{"description":"OK","content":{"application/json":{"example":{"data":{"name":"CORS API","notes":"A wildcard origin '*' cannot be combined with credentials — reflect a specific origin and add Vary: Origin instead. This builds and checks the headers; it does not make a request. Nothing is stored.","version":"v1","endpoints":[{"path":"/v1/headers","params":{"expose":"response headers to expose","origin":"a request Origin to reflect/validate","headers":"allowed request headers (or *) — default Content-Type, Authorization","max_age":"preflight cache seconds","methods":"allowed methods — default GET, POST, PUT, PATCH, DELETE, OPTIONS","origins":"allowed origins (comma list or *) — default *","credentials":"true to allow credentials"},"returns":"the Access-Control-* headers to send"},{"path":"/v1/check","params":{"method":"the (requested) method","origin":"the request Origin (required)","…policy":"same origins/methods/headers/credentials fields as /v1/headers","request_headers":"the Access-Control-Request-Headers list"},"returns":"whether the request is allowed, why not, and the headers to send"},{"path":"/v1/meta","params":[],"returns":"this document"}],"description":"Build correct CORS response headers and evaluate preflight requests. The headers endpoint turns a simple policy — allowed origins, methods, request headers, credentials, max-age and exposed headers — into the exact Access-Control-* headers to return, handling the tricky parts: wildcard vs credentials (you cannot use '*' with credentials), origin reflection and the Vary: Origin header. The check endpoint takes an incoming request's origin, method and requested headers and tells you whether it would pass CORS, why not if it fails, and the headers you should send back. Pure local, no key."},"meta":{"timestamp":"2026-06-03T09:25:00.756Z","request_id":"59d94c28-3c0f-4231-b2a3-fd72fbcf0cb1"},"status":"ok","message":"Meta","success":true}}}},"401":{"description":"Missing or invalid x-oanor-key header"},"402":{"description":"Active subscription required"},"429":{"description":"Rate-limit or monthly quota reached"},"502":{"description":"Upstream did not respond"}}}}},"x-oanor-pricing":[{"slug":"free","name":"Free","price_cents_month":0,"monthly_call_quota":3435,"rps_limit":2,"hard_limit":true},{"slug":"starter","name":"Starter","price_cents_month":495,"monthly_call_quota":12950,"rps_limit":8,"hard_limit":true},{"slug":"pro","name":"Pro","price_cents_month":2485,"monthly_call_quota":180500,"rps_limit":20,"hard_limit":true},{"slug":"mega","name":"Mega","price_cents_month":6285,"monthly_call_quota":945000,"rps_limit":50,"hard_limit":true}],"x-oanor-marketplace-url":"https://www.oanor.com/api/cors-api"}