Ana içeriğe atla

Endpoint

PATCH /apiops/projects/{projectName}/apiProxies/{apiProxyName}/settings/cors/

Authentication

Requires a Personal API Access Token. 
Authorization: Bearer YOUR_TOKEN

Request

Headers

HeaderValueRequired
AuthorizationBearer Yes
Content-Typeapplication/jsonYes

Path Parameters

ParameterTypeRequiredDescription
projectNamestringYesProject name
apiProxyNamestringYesAPI Proxy name

Request Body

Full JSON Body Example

{
  "name": "CORS Settings",
  "description": "CORS configuration for API",
  "corsActive": true,
  "allowOriginList": ["*"],
  "allowMethodList": ["GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS"],
  "allowHeaderList": ["*"],
  "exposeHeaderList": ["X-Custom-Header"],
  "allowCredentials": "true",
  "maxAge": 3600
}

Request Body Fields

FieldTypeRequiredDefaultDescription
namestringYes-CORS settings name
descriptionstringNo-CORS settings description
corsActivebooleanNofalseEnable/disable CORS
allowOriginListarrayNo[]List of allowed origins (use ["*"] for all origins)
allowMethodListarrayNo[]List of allowed HTTP methods
allowHeaderListarrayNo[]List of allowed headers (use ["*"] for all headers)
exposeHeaderListarrayNo[]List of headers exposed to client
allowCredentialsstringNo”false”Allow credentials ("true" or "false")
maxAgeintegerNo3600Max age for preflight requests in seconds

EnumHttpRequestMethod

  • GET - GET method
  • POST - POST method
  • PUT - PUT method
  • DELETE - DELETE method
  • PATCH - PATCH method
  • OPTIONS - OPTIONS method
  • HEAD - HEAD method
  • TRACE - TRACE method
  • ALL - All methods

Note

  • allowOriginList can contain "*" to allow all origins, but this cannot be used with allowCredentials: "true"
  • allowHeaderList can contain "*" to allow all headers
  • allowCredentials must be a string ("true" or "false"), not a boolean

Response

Success Response (200 OK)

{
  "success": true
}

Response Fields

FieldTypeDescription
successbooleanIndicates if the request was successful

Error Response (400 Bad Request)

{
  "error": "bad_request",
  "error_description": "Invalid CORS settings"
}

Error Response (401 Unauthorized)

{
  "error": "unauthorized_client",
  "error_description": "Invalid token"
}

Error Response (404 Not Found)

{
  "error": "not_found",
  "error_description": "ApiProxy (name: MyAPI) was not found!"
}

cURL Example

Example 1: Enable CORS for All Origins

curl -X PATCH \
  "https://demo.apinizer.com/apiops/projects/MyProject/apiProxies/MyAPI/settings/cors/" \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "CORS Settings",
    "corsActive": true,
    "allowOriginList": ["*"],
    "allowMethodList": ["GET", "POST", "PUT", "DELETE"],
    "allowHeaderList": ["*"],
    "allowCredentials": "false",
    "maxAge": 3600
  }'

Example 2: Enable CORS for Specific Origins

curl -X PATCH \
  "https://demo.apinizer.com/apiops/projects/MyProject/apiProxies/MyAPI/settings/cors/" \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "CORS Settings",
    "corsActive": true,
    "allowOriginList": [
      "https://example.com",
      "https://app.example.com"
    ],
    "allowMethodList": ["GET", "POST"],
    "allowHeaderList": ["Content-Type", "Authorization"],
    "exposeHeaderList": ["X-Custom-Header"],
    "allowCredentials": "true",
    "maxAge": 7200
  }'

Notes and Warnings

  • Wildcard Origin: Using "*" in allowOriginList allows all origins but cannot be used with allowCredentials: "true"
  • Credentials: When allowCredentials is "true", you must specify exact origins (no wildcard)
  • Preflight Requests: The maxAge value determines how long browsers cache preflight OPTIONS requests
  • Headers: Use ["*"] in allowHeaderList to allow all headers, or specify exact header names
  • Exposed Headers: Headers in exposeHeaderList are accessible to client-side JavaScript

Permissions

User must have API_MANAGEMENT + MANAGE permission in the project.