Update CORS Settings

Endpoint

PATCH /apiops/projects/{projectName}/apiProxies/{apiProxyName}/settings/cors/

Authentication

Requires a Personal API Access Token.

Header

Authorization: Bearer YOUR_TOKEN

Request

Headers

Header	Value	Required
Authorization	Bearer {token}	Yes
Content-Type	application/json	Yes

Path Parameters

Parameter	Type	Required	Description
projectName	string	Yes	Project name
apiProxyName	string	Yes	API Proxy name

Request Body

Full JSON Body Example

{
  "corsSettings": {
    "name": "CORS Settings",
    "description": "CORS configuration for API",
    "corsActive": true,
    "allowOriginList": ["*"],
    "allowMethodList": ["GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS"],
    "allowHeaderList": ["*"],
    "exposeHeaderList": ["X-Custom-Header"],
    "allowCredentials": "true",
    "maxAge": 3600
  },
  "deploy": false,
  "deployTargetEnvironmentNameList": []
}

Request Body Fields

Field	Type	Required	Default	Description
corsSettings	object	Yes	-	CORS settings object (see fields below)
deploy	boolean	No	false	If true, deploy the API proxy after saving changes
deployTargetEnvironmentNameList	array[string]	No	-	List of environment names to deploy to (required when deploy=true)

corsSettings Fields

Field	Type	Required	Default	Description
name	string	Yes	-	CORS settings name
description	string	No	-	CORS settings description
corsActive	boolean	No	false	Enable/disable CORS
allowOriginList	array	No	[]	List of allowed origins (use ["*"] for all origins)
allowMethodList	array	No	[]	List of allowed HTTP methods
allowHeaderList	array	No	[]	List of allowed headers (use ["*"] for all headers)
exposeHeaderList	array	No	[]	List of headers exposed to client
allowCredentials	string	No	"false"	Allow credentials ("true" or "false")
maxAge	integer	No	3600	Max age for preflight requests in seconds

EnumHttpRequestMethod

• GET - GET method
• POST - POST method
• PUT - PUT method
• DELETE - DELETE method
• PATCH - PATCH method
• OPTIONS - OPTIONS method
• HEAD - HEAD method
• TRACE - TRACE method
• ALL - All methods

Note

• allowOriginList can contain "*" to allow all origins, but this cannot be used with allowCredentials: "true"
• allowHeaderList can contain "*" to allow all headers
• allowCredentials must be a string ("true" or "false"), not a boolean

Response

Success Response (200 OK)

{
  "success": true
}

When deploy=true is specified:

{
  "success": true,
  "deploymentResult": {
    "success": true,
    "deploymentResults": [
      {
        "environmentName": "production",
        "success": true,
        "message": "Deployment successful"
      }
    ]
  }
}

Response Fields

Field	Type	Description
success	boolean	Indicates if the request was successful
deploymentResult	object	Deployment result (only present when deploy=true)
deploymentResult.success	boolean	Overall deployment success
deploymentResult.deploymentResults	array	Individual environment deployment results

Error Response (400 Bad Request)

{
  "error": "bad_request",
  "error_description": "Invalid CORS settings"
}

Error Response (401 Unauthorized)

{
  "error": "unauthorized_client",
  "error_description": "Invalid token"
}

Error Response (404 Not Found)

{
  "error": "not_found",
  "error_description": "ApiProxy (name: MyAPI) was not found!"
}

cURL Example

Example 1: Enable CORS for All Origins

curl -X PATCH \
  "https://demo.apinizer.com/apiops/projects/MyProject/apiProxies/MyAPI/settings/cors/" \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "corsSettings": {
      "name": "CORS Settings",
      "corsActive": true,
      "allowOriginList": ["*"],
      "allowMethodList": ["GET", "POST", "PUT", "DELETE"],
      "allowHeaderList": ["*"],
      "allowCredentials": "false",
      "maxAge": 3600
    }
  }'

Example 2: Enable CORS for Specific Origins

curl -X PATCH \
  "https://demo.apinizer.com/apiops/projects/MyProject/apiProxies/MyAPI/settings/cors/" \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "corsSettings": {
      "name": "CORS Settings",
      "corsActive": true,
      "allowOriginList": [
        "https://example.com",
        "https://app.example.com"
      ],
      "allowMethodList": ["GET", "POST"],
      "allowHeaderList": ["Content-Type", "Authorization"],
      "exposeHeaderList": ["X-Custom-Header"],
      "allowCredentials": "true",
      "maxAge": 7200
    }
  }'

Example 3: Save and Deploy

curl -X PATCH \
  "https://demo.apinizer.com/apiops/projects/MyProject/apiProxies/MyAPI/settings/cors/" \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "corsSettings": {
      "corsActive": true,
      "allowOriginList": ["*"],
      "allowMethodList": ["GET", "POST"],
      "allowHeaderList": ["*"],
      "allowCredentials": "false",
      "maxAge": 3600
    },
    "deploy": true,
    "deployTargetEnvironmentNameList": ["production"]
  }'

Notes and Warnings

• Wildcard Origin: Using "*" in allowOriginList allows all origins but cannot be used with allowCredentials: "true"
• Credentials: When allowCredentials is "true", you must specify exact origins (no wildcard)
• Preflight Requests: The maxAge value determines how long browsers cache preflight OPTIONS requests
• Headers: Use ["*"] in allowHeaderList to allow all headers, or specify exact header names
• Exposed Headers: Headers in exposeHeaderList are accessible to client-side JavaScript
• Deploy: When deploy=true, the API proxy is automatically deployed to the specified environments after saving

Permissions

User must have API_MANAGEMENT + MANAGE permission in the project.

Related Documentation

• Update Cache Settings - Update cache settings
• Get API Proxy - Get API proxy details