▎ Hi — I'm calling the π collective API (https://pi.ruv.io/v1/*) from a browser app and the requests work server-side but get blocked in the browser. The responses are missing the Access-Control-Allow-Origin header.
▎
▎ Right now your preflight (OPTIONS /v1/...) already returns:
▎ access-control-allow-methods: GET,POST,DELETE,OPTIONS
▎ access-control-allow-headers: authorization,content-type,accept
▎ vary: origin
▎ ...but no Access-Control-Allow-Origin, on either the preflight or the actual GET response. (The vary: origin suggests you allowlist origins per-request — mine just isn't on the list.)
▎
▎ Could you return Access-Control-Allow-Origin for any origins, on both the OPTIONS preflight and the GET response, or just mine:
▎ - https://app.conceptmapping.org
▎ - https://conceptmapping.org
▎
▎ Allow-Methods: GET, OPTIONS and Allow-Headers: authorization are already correct. I send the key as a Bearer token, not cookies, so you don't need Access-Control-Allow-Credentials — and Access-Control-Allow-Origin: * would work too if per-origin allowlisting is inconvenient.
▎
▎ Thanks!