> ## Documentation Index > Fetch the complete documentation index at: https://docs.sdk.anghami.com/llms.txt > Use this file to discover all available pages before exploring further. # CORS > CORS posture for the public API and what's allowed from the browser. Browsers are first-class clients of the SDK. CORS is configured to make that work without proxy hacks. ## What's allowed | Origin policy | Value | | ------------------------------ | --------------------------------------------- | | `Access-Control-Allow-Origin` | `*` (or echoed origin, depending on endpoint) | | `Access-Control-Allow-Methods` | `GET, POST, OPTIONS` | | `Access-Control-Allow-Headers` | `Authorization, Content-Type, x-api-key` | | `Access-Control-Max-Age` | `3600` (preflight cache) | All public catalog and search endpoints accept cross-origin requests from any browser context. ## What's restricted * **Stream URLs** returned by `Acquire*Stream` may be restricted by origin or referrer at the CDN layer to satisfy DRM and licensing terms. Treat the URL as opaque — your media element handles the request, not your fetch logic. * **OAuth `/v1/auth/authorize`** is a top-level browser navigation, not a CORS request. Don't try to load it via `fetch`. * **OAuth `/v1/auth/token`** accepts cross-origin POSTs but will reject requests with mismatched `redirect_uri` / `client_id` regardless of origin. ## Preflight `POST` with `Content-Type: application/json` triggers a CORS preflight (`OPTIONS`). The server responds with the headers above; preflights are cached for an hour. If you see your client doing an `OPTIONS` before every call, your fetch/axios setup is bypassing browser caching — fix the cache, don't try to disable preflight. ## Static discovery assets The discovery surface — [`/api/anghami-sdk.openapi.yaml`](/api/anghami-sdk.openapi.yaml), [`/.well-known/llms.txt`](/.well-known/llms.txt), `/.well-known/oauth-authorization-server` — serves `Access-Control-Allow-Origin: *` and is cacheable (`public, max-age=3600`). Safe to fetch from any browser context. ## Common gotchas * **Credentials mode.** Don't set `credentials: "include"` on cross-origin fetches unless you also expect cookies — the API uses headers (`Authorization`, `x-api-key`), not cookies, so `credentials: "omit"` is the right default. * **Custom headers other than the allowed list.** Only `Authorization`, `Content-Type`, and `x-api-key` are allowed in CORS-bound requests. Custom headers will fail preflight. * **API keys in the browser.** Don't put API keys in browser apps — they are server-to-server credentials. Use OAuth + PKCE on the browser side.