Reference

CORS and allowed origins

Browser-callable endpoints allow preflight but actual requests still enforce DB-stored allowed origins.

Publishable keys

Publishable-key requests require an allowed Origin header. Add exact origins in the dashboard, including scheme and port.

Secret-key calls are server-to-server and should not be made from browsers. Origin checks do not make secret keys browser-safe.

OPTIONS preflight should succeed for candidate origins so browsers can reach clear actual-request errors when the origin is not authorized.

Request IDs

Changelog

Start with the Server API. Use contact only when you need rollout review, enterprise coordination, or non-standard integration help.