Enabling cross-origin requests to the IBM Streams REST API

If you add an origin to the IBM® Streams trusted origin list, you can make cross-origin requests to the REST API from that origin.

About this task

Web browsers typically restrict scripts from accessing data with a different origin than the page that contains the script. This restriction, which is known as the same-origin policy, prevents you from directly accessing the IBM Streams REST API from a script. The REST API supports cross-origin resource sharing (CORS), which provides a mechanism for the browser and server to determine whether to allow cross-origin requests.


  1. Verify that your browser supports CORS. Most modern browsers support CORS; however, you might need to upgrade to the latest browser version to get this support.
  2. Add the originator of script REST API calls to the list of trusted origins. You can do this by using the REST API, JMX API or the Management Dashboard of the Streams Console.

    The origin specifies the scheme, host, and port from which requests originate. It must be a case-sensitive match for the HTTP Origin header value that the browser adds on the cross-origin request, for example: http://myserver.com:8080

  3. Add the IBM Streams certificate to the web browser. Use your web browser's interface to trust the self-signed certificate that is provided by IBM Streams.
  4. Determine the method to authenticate the IBM Streams user. If the instance is configured to use client authentication and the client certificate contains an IBM Streams user name, no further configuration is necessary. The user is authenticated when the certificate is verified.

    Otherwise, either HTTP basic or bearer authentication is used and you must set the withCredentials attribute of the XMLHttpRequest object to true for user credentials to be included on the cross-origin request. If your browser supports prompting for credentials with CORS requests, you can supply credentials this way. Alternatively, you can supply the credentials or bearer token directly in the HTTP Authorization request header.

What to do next

You can now make REST API calls from a script that that runs from the trusted origin that you configured.