Reference

CORS and allowed origins

Browser-callable endpoints allow preflight but actual requests still enforce DB-stored allowed origins.

Publishable keys

Publishable-key requests require an allowed Origin header. Add exact origins in the dashboard, including scheme and port.

Secret keys

Secret-key calls are server-to-server and should not be made from browsers. Origin checks do not make secret keys browser-safe.

Preflight

OPTIONS preflight should succeed for candidate origins so browsers can reach clear actual-request errors when the origin is not authorized.

Rate limits

Request IDs

Need rollout review?

Contact the team

Start in the dashboard, choose Script Tag or Server API, and use contact only when you need rollout review, enterprise coordination, or non-standard integration help. Billing beacon rules live in the API concepts guide.