Skip to main content
CORS errors

Security measure: We do not allow calling Veryfi APIs from the Web since it can expose your API Keys

Updated over a year ago

CORS errors

CORS policy: Cross-Origin Resource Sharing (CORS) is a mechanism that allows one domain to access resources residing on other domains.

It is not really an error but a security measure to protect the client from a potential security breach communicating among domains. In other words, we do not allow calling Veryfi APIs from the Web since it can expose your API Keys. We recommend calling Veryfi APIs from the backend where API Keys are protected and not exposed.

Error sample:

Access to fetch at 'https://api.veryfi.com/api/v8/partner/documents/' from origin 'http://your ip address' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

Cross-Origin Resource Sharing (CORS) is a standard that allows a server to relax the same-origin policy. This is used to explicitly allow some cross-origin requests while rejecting others. For example, if a site offers an embeddable service, it may be necessary to relax certain restrictions. Setting up such a CORS configuration isn't necessarily easy and may present some challenges.

If the CORS configuration isn't setup correctly, the browser console will present an error like "Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at $somesite" indicating that the request was blocked due to violating the CORS security rules. This might not necessarily be a set-up mistake, though. It's possible that the request is in fact intentionally being disallowed by the user's web application and remote external service.

Did this answer your question?