Ana içeriğe atla

Endpoint

PATCH /apiops/projects/{projectName}/apiProxies/{apiProxyName}/settings/cors/

Authentication

Requires a Personal API Access Token. 
Authorization: Bearer YOUR_TOKEN

Request

Headers

HeaderValueRequired
AuthorizationBearer Yes
Content-Typeapplication/jsonYes

Path Parameters

ParameterTypeRequiredDescription
projectNamestringYesProject name
apiProxyNamestringYesAPI Proxy name

Request Body

Full JSON Body Example

{
  "corsSettings": {
    "name": "CORS Settings",
    "description": "CORS configuration for API",
    "corsActive": true,
    "allowOriginList": ["*"],
    "allowMethodList": ["GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS"],
    "allowHeaderList": ["*"],
    "exposeHeaderList": ["X-Custom-Header"],
    "allowCredentials": "true",
    "maxAge": 3600
  },
  "deploy": false,
  "deployTargetEnvironmentNameList": []
}

Request Body Fields

FieldTypeRequiredDefaultDescription
corsSettingsobjectYes-CORS settings object (see fields below)
deploybooleanNofalseIf true, deploy the API proxy after saving changes
deployTargetEnvironmentNameListarray[string]No-List of environment names to deploy to (required when deploy=true)

corsSettings Fields

FieldTypeRequiredDefaultDescription
namestringYes-CORS settings name
descriptionstringNo-CORS settings description
corsActivebooleanNofalseEnable/disable CORS
allowOriginListarrayNo[]List of allowed origins (use ["*"] for all origins)
allowMethodListarrayNo[]List of allowed HTTP methods
allowHeaderListarrayNo[]List of allowed headers (use ["*"] for all headers)
exposeHeaderListarrayNo[]List of headers exposed to client
allowCredentialsstringNo”false”Allow credentials ("true" or "false")
maxAgeintegerNo3600Max age for preflight requests in seconds

EnumHttpRequestMethod

  • GET - GET method
  • POST - POST method
  • PUT - PUT method
  • DELETE - DELETE method
  • PATCH - PATCH method
  • OPTIONS - OPTIONS method
  • HEAD - HEAD method
  • TRACE - TRACE method
  • ALL - All methods

Note

  • allowOriginList can contain "*" to allow all origins, but this cannot be used with allowCredentials: "true"
  • allowHeaderList can contain "*" to allow all headers
  • allowCredentials must be a string ("true" or "false"), not a boolean

Response

Success Response (200 OK)

{
  "success": true
}
When deploy=true is specified: 
{
  "success": true,
  "deploymentResult": {
    "success": true,
    "deploymentResults": [
      {
        "environmentName": "production",
        "success": true,
        "message": "Deployment successful"
      }
    ]
  }
}

Response Fields

FieldTypeDescription
successbooleanIndicates if the request was successful
deploymentResultobjectDeployment result (only present when deploy=true)
deploymentResult.successbooleanOverall deployment success
deploymentResult.deploymentResultsarrayIndividual environment deployment results

Error Response (400 Bad Request)

{
  "error": "bad_request",
  "error_description": "Invalid CORS settings"
}

Error Response (401 Unauthorized)

{
  "error": "unauthorized_client",
  "error_description": "Invalid token"
}

Error Response (404 Not Found)

{
  "error": "not_found",
  "error_description": "ApiProxy (name: MyAPI) was not found!"
}

cURL Example

Example 1: Enable CORS for All Origins

curl -X PATCH \
  "https://demo.apinizer.com/apiops/projects/MyProject/apiProxies/MyAPI/settings/cors/" \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "corsSettings": {
      "name": "CORS Settings",
      "corsActive": true,
      "allowOriginList": ["*"],
      "allowMethodList": ["GET", "POST", "PUT", "DELETE"],
      "allowHeaderList": ["*"],
      "allowCredentials": "false",
      "maxAge": 3600
    }
  }'

Example 2: Enable CORS for Specific Origins

curl -X PATCH \
  "https://demo.apinizer.com/apiops/projects/MyProject/apiProxies/MyAPI/settings/cors/" \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "corsSettings": {
      "name": "CORS Settings",
      "corsActive": true,
      "allowOriginList": [
        "https://example.com",
        "https://app.example.com"
      ],
      "allowMethodList": ["GET", "POST"],
      "allowHeaderList": ["Content-Type", "Authorization"],
      "exposeHeaderList": ["X-Custom-Header"],
      "allowCredentials": "true",
      "maxAge": 7200
    }
  }'

Example 3: Save and Deploy

curl -X PATCH \
  "https://demo.apinizer.com/apiops/projects/MyProject/apiProxies/MyAPI/settings/cors/" \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "corsSettings": {
      "corsActive": true,
      "allowOriginList": ["*"],
      "allowMethodList": ["GET", "POST"],
      "allowHeaderList": ["*"],
      "allowCredentials": "false",
      "maxAge": 3600
    },
    "deploy": true,
    "deployTargetEnvironmentNameList": ["production"]
  }'

Notes and Warnings

  • Wildcard Origin: Using "*" in allowOriginList allows all origins but cannot be used with allowCredentials: "true"
  • Credentials: When allowCredentials is "true", you must specify exact origins (no wildcard)
  • Preflight Requests: The maxAge value determines how long browsers cache preflight OPTIONS requests
  • Headers: Use ["*"] in allowHeaderList to allow all headers, or specify exact header names
  • Exposed Headers: Headers in exposeHeaderList are accessible to client-side JavaScript
  • Deploy: When deploy=true, the API proxy is automatically deployed to the specified environments after saving

Permissions

User must have API_MANAGEMENT + MANAGE permission in the project.