Cross-Origin Resource Sharing (CORS)
Cross-Origin Resource Sharing (CORS) is an HTTP-based mechanism that lets a server specify which other origins (domains, schemes, or ports) can load its resources.
By default, a browser blocks requests from an app running on a different origin than the server. To allow access, the
server must either permit all origins (using *) or explicitly allow the app's origin.
You can find more in-depth information about CORS here.
CORS in Showpad
Showpad enforces a strict policy for cross-origin requests, where only requests originating from your authorized Showpad customer domain are permitted. As a result, the following behavior applies to the request:
GET https://{{subdomain}}.showpad.biz/api/v4/users
| Allowed | Blocked |
|---|---|
https://{{subdomain}}.showpad.biz | https://{{other-cust}}.showpad.com |
https://{{subdomain}}.showpad.com | https://customer-app.com |
Additional Origins
If the default Showpad policy is too restrictive for your needs and you need to call the Showpad API from a browser app running on a non-Showpad domain, please contact Showpad support. They can assist you in adding additional origins to the allow-list for your Showpad instance.
Please specify the following in your request:
| Required Information | Format |
|---|---|
| your Showpad instance | {{subdomain}}.showpad.biz |
| the origin you want to allow | https://{{app domain}}(:<port>) |