Cors API

CorsAPISecureAPIaccessfromthebrowser.

Allowlist hosts and paths, enforce CORS, per-minute quotas, security policy, and daily p95 latency — one dashboard. Self-hostable.

Start for freeDocumentation

CORS · RATE LIMIT · ANALYTICS

CorsAPI — Secure API access from the browser

Stop wiring CORS middleware into every microservice — configure once in the panel.

Documentation
Proxy request
GET /proxy?url=https://api.example.com/v1/resourceX-CorsAPI-Key: YOUR_PROJECT_KEYOrigin: https://yourapp.com

Successful responses include quota and rate-limit hints in headers.

01

CORS solved

02

Quotas & p95

03

Self-hosted

Built for production teams

/01

p95 latency

Daily latency samples so you can spot upstream regressions early.

/02

Per-minute quotas

429 when exceeded — protect upstream APIs and your budget.

/03

Your infrastructure

Account and project data stay in the database you host — not ours.

How it works

A secure browser-to-API path in three steps: define your project, send your key — CORS, quotas, and security apply automatically on every request.

  • 01Origin and allowed upstream host/path limits in the panel
  • 02Authenticate with X-CorsAPI-Key or Bearer
  • 03Policy: CORS preflight and quotas from one place

  1. 01

    Create a project

    Define browser origins and allowed upstream hosts and path prefixes.

  2. 02

    Send your API key

    Use X-CorsAPI-Key or Authorization: Bearer from the browser or server.

  3. 03

    Proxy with policy

    CORS, quotas, and security rules apply automatically to every request.

Everything you need to ship safely

One control plane for browser traffic: allowlists, observability, and guardrails.

CORS + proxy

Origin allowlists and OPTIONS preflight handled for you — no ad-hoc headers in upstream services.

Host & path

Only defined upstream hosts and path prefixes are reachable — never an open relay.

p95 & quotas

Daily requests, 4xx/5xx, and latency samples in one place.

Security policy

IP allowlists, method and body limits, and header filters from the dashboard.

Email verification

SMTP verification on sign-up and password reset flows.

Privacy-friendly

Data export and account deletion in settings — built for GDPR-style workflows.

Why not call the API directly from the browser?

Direct browser calls

CORS often blocks cross-origin requests; putting secrets in the client is unsafe; you get no central observability.

Through CorsAPI

Explicit allowlists, API keys at the edge, per-route quotas, and latency insight — without exposing upstream credentials to users.

Explore CorsAPI

Docs, product, and pillar posts

Anchor your navigation: documentation, features, then bookmark these in-depth guides.

DocumentationFeaturesBlog

Recommended reads

Frequently asked questions

Is it free to use?+

Yes. Register, create projects, and use the proxy for free. Shared free-tier caps apply (see docs and GET /api/plan/limits).

It’s not an open proxy, right?+

Traffic only goes to host and path rules you define; it is not a random open relay.

Where do I use my API key?+

Send it with X-CorsAPI-Key or Authorization: Bearer. See the docs for a curl example.

Where is my data?+

Account and project data live in your self-hosted database. Export and delete account are available in settings.

Does it support teams?+

Yes. Organizations let you collaborate; projects attach to your workspace with roles for owners, admins, and members.

Is there an OpenAPI / Swagger UI?+

The backend exposes OpenAPI. Swagger UI is off by default in production; enable it with SWAGGER_ENABLED when you are ready.