Enabling CORS support for an API

You can enable cross-origin resource sharing (CORS) support for your API. CORS allows embedded scripts in a web page to call the API across domain boundaries.

About this task

You can complete this task either by using either the API Designer UI application, or by using the browser based API Manager UI.


To enable CORS support for an API, complete the following steps:

  1. In the navigation pane, click Develop icon in the API UI navigation pane Develop, then select the APIs tab.
  2. To enable CORS support for an existing API, click the API that you want to work with.

    To create a new API before enabling CORS, see Creating an API definition.

  3. Select API Setup. Scroll to the Lifecycle section, and select CORS.
  4. Click Save to save your changes.
  5. Optional: To implement your own CORS solution using custom OPTIONS operations, complete the following steps:
    1. Add the following headers to your HTTP responses:
      Access-Control-Allow-Origin: https://<portalhostname>
      Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept 
      Where <portalhostname> is your Developer Portal host name.
    2. Optional: You can proxy your API through API Connect as an enforced invoke API so that CORS is handled automatically.
    • If you implement your own CORS solution, you must disable the CORS option described in step 3
    • CORS preflight requests are sent by using the HTTP OPTIONS method. Therefore, if you require these requests to be handled by the API Connect gateway then you must enable the OPTIONS method for all APIs that will handle preflight requests; see Defining Paths for a REST API.
    • OPTIONS requests are counted as API calls against any configured rate limit. Note that you can apply rate limits to individual operations; see Defining rate limits for an API operation.