Blog

MongoDB Atlas Data API: browser access, CORS rules in JSON, and least-privilege API keys

Atlas lets you list allowed origins for the Data API; treat it like a public surface even with IP access lists.

Published: 2027-01-20Updated: 2027-01-221 min read

mongodbatlascors

Aggregation pipelines

Heavy pipelines triggered from browsers can abuse quotas—prefer server-side functions for complex joins.

Log slow queries separately from CORS denials to avoid misdiagnosis.

Atlas encryption at rest does not remove your obligation to avoid PII in URLs blocked by CORS logs.

Regional clusters may affect data residency promises—document which regions serve browser clients.