Documentation Index
Fetch the complete documentation index at: https://docs.apinizer.com/llms.txt
Use this file to discover all available pages before exploring further.
Endpoint
PATCH /apiops/projects/{projectName}/apiProxies/{apiProxyName}/settings/cors/
Authentication
Requires a Personal API Access Token.
Authorization: Bearer YOUR_TOKEN
Request
| Header | Value | Required |
|---|
| Authorization | Bearer | Yes |
| Content-Type | application/json | Yes |
Path Parameters
| Parameter | Type | Required | Description |
|---|
| projectName | string | Yes | Project name |
| apiProxyName | string | Yes | API Proxy name |
Request Body
Full JSON Body Example
{
"corsSettings": {
"name": "CORS Settings",
"description": "CORS configuration for API",
"corsActive": true,
"allowOriginList": ["*"],
"allowMethodList": ["GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS"],
"allowHeaderList": ["*"],
"exposeHeaderList": ["X-Custom-Header"],
"allowCredentials": "true",
"maxAge": 3600
},
"deploy": false,
"deployTargetEnvironmentNameList": []
}
Request Body Fields
| Field | Type | Required | Default | Description |
|---|
| corsSettings | object | Yes | - | CORS settings object (see fields below) |
| deploy | boolean | No | false | If true, deploy the API proxy after saving changes |
| deployTargetEnvironmentNameList | array[string] | No | - | List of environment names to deploy to (required when deploy=true) |
| Field | Type | Required | Default | Description |
|---|
| name | string | Yes | - | CORS settings name |
| description | string | No | - | CORS settings description |
| corsActive | boolean | No | false | Enable/disable CORS |
| allowOriginList | array | No | [] | List of allowed origins (use ["*"] for all origins) |
| allowMethodList | array | No | [] | List of allowed HTTP methods |
| allowHeaderList | array | No | [] | List of allowed headers (use ["*"] for all headers) |
| exposeHeaderList | array | No | [] | List of headers exposed to client |
| allowCredentials | string | No | ”false” | Allow credentials ("true" or "false") |
| maxAge | integer | No | 3600 | Max age for preflight requests in seconds |
EnumHttpRequestMethod
GET - GET methodPOST - POST methodPUT - PUT methodDELETE - DELETE methodPATCH - PATCH methodOPTIONS - OPTIONS methodHEAD - HEAD methodTRACE - TRACE methodALL - All methods
Note
allowOriginList can contain "*" to allow all origins, but this cannot be used with allowCredentials: "true"allowHeaderList can contain "*" to allow all headersallowCredentials must be a string ("true" or "false"), not a boolean
Response
Success Response (200 OK)
When deploy=true is specified:
{
"success": true,
"deploymentResult": {
"success": true,
"deploymentResults": [
{
"environmentName": "production",
"success": true,
"message": "Deployment successful"
}
]
}
}
Response Fields
| Field | Type | Description |
|---|
| success | boolean | Indicates if the request was successful |
| deploymentResult | object | Deployment result (only present when deploy=true) |
| deploymentResult.success | boolean | Overall deployment success |
| deploymentResult.deploymentResults | array | Individual environment deployment results |
Error Response (400 Bad Request)
{
"error": "bad_request",
"error_description": "Invalid CORS settings"
}
Error Response (401 Unauthorized)
{
"error": "unauthorized_client",
"error_description": "Invalid token"
}
Error Response (404 Not Found)
{
"error": "not_found",
"error_description": "ApiProxy (name: MyAPI) was not found!"
}
cURL Example
Example 1: Enable CORS for All Origins
curl -X PATCH \
"https://demo.apinizer.com/apiops/projects/MyProject/apiProxies/MyAPI/settings/cors/" \
-H "Authorization: Bearer YOUR_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"corsSettings": {
"name": "CORS Settings",
"corsActive": true,
"allowOriginList": ["*"],
"allowMethodList": ["GET", "POST", "PUT", "DELETE"],
"allowHeaderList": ["*"],
"allowCredentials": "false",
"maxAge": 3600
}
}'
Example 2: Enable CORS for Specific Origins
curl -X PATCH \
"https://demo.apinizer.com/apiops/projects/MyProject/apiProxies/MyAPI/settings/cors/" \
-H "Authorization: Bearer YOUR_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"corsSettings": {
"name": "CORS Settings",
"corsActive": true,
"allowOriginList": [
"https://example.com",
"https://app.example.com"
],
"allowMethodList": ["GET", "POST"],
"allowHeaderList": ["Content-Type", "Authorization"],
"exposeHeaderList": ["X-Custom-Header"],
"allowCredentials": "true",
"maxAge": 7200
}
}'
Example 3: Save and Deploy
curl -X PATCH \
"https://demo.apinizer.com/apiops/projects/MyProject/apiProxies/MyAPI/settings/cors/" \
-H "Authorization: Bearer YOUR_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"corsSettings": {
"corsActive": true,
"allowOriginList": ["*"],
"allowMethodList": ["GET", "POST"],
"allowHeaderList": ["*"],
"allowCredentials": "false",
"maxAge": 3600
},
"deploy": true,
"deployTargetEnvironmentNameList": ["production"]
}'
Notes and Warnings
- Wildcard Origin: Using
"*" in allowOriginList allows all origins but cannot be used with allowCredentials: "true"
- Credentials: When
allowCredentials is "true", you must specify exact origins (no wildcard)
- Preflight Requests: The
maxAge value determines how long browsers cache preflight OPTIONS requests
- Headers: Use
["*"] in allowHeaderList to allow all headers, or specify exact header names
- Exposed Headers: Headers in
exposeHeaderList are accessible to client-side JavaScript
- Deploy: When
deploy=true, the API proxy is automatically deployed to the specified environments after saving
Permissions
User must have API_MANAGEMENT + MANAGE permission in the project.
