Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.sdk.anghami.com/llms.txt

Use this file to discover all available pages before exploring further.

Browsers are first-class clients of the SDK. CORS is configured to make that work without proxy hacks.

What’s allowed

Origin policyValue
Access-Control-Allow-Origin* (or echoed origin, depending on endpoint)
Access-Control-Allow-MethodsGET, POST, OPTIONS
Access-Control-Allow-HeadersAuthorization, Content-Type, x-api-key
Access-Control-Max-Age3600 (preflight cache)
All public catalog and search endpoints accept cross-origin requests from any browser context.

What’s restricted

  • Stream URLs returned by Acquire*Stream may be restricted by origin or referrer at the CDN layer to satisfy DRM and licensing terms. Treat the URL as opaque — your media element handles the request, not your fetch logic.
  • OAuth /v1/auth/authorize is a top-level browser navigation, not a CORS request. Don’t try to load it via fetch.
  • OAuth /v1/auth/token accepts cross-origin POSTs but will reject requests with mismatched redirect_uri / client_id regardless of origin.

Preflight

POST with Content-Type: application/json triggers a CORS preflight (OPTIONS). The server responds with the headers above; preflights are cached for an hour. If you see your client doing an OPTIONS before every call, your fetch/axios setup is bypassing browser caching — fix the cache, don’t try to disable preflight.

Static discovery assets

The discovery surface — /api/anghami-sdk.openapi.yaml, /.well-known/llms.txt, /.well-known/oauth-authorization-server — serves Access-Control-Allow-Origin: * and is cacheable (public, max-age=3600). Safe to fetch from any browser context.

Common gotchas

  • Credentials mode. Don’t set credentials: "include" on cross-origin fetches unless you also expect cookies — the API uses headers (Authorization, x-api-key), not cookies, so credentials: "omit" is the right default.
  • Custom headers other than the allowed list. Only Authorization, Content-Type, and x-api-key are allowed in CORS-bound requests. Custom headers will fail preflight.
  • API keys in the browser. Don’t put API keys in browser apps — they are server-to-server credentials. Use OAuth + PKCE on the browser side.