Skip to main content

Feature Guide: White-Label CORS System (Database-Driven)

1. Overview

The White-Label CORS System protects your platform by controlling which external domains can access your API endpoints. This database-driven approach lets administrators manage cross-origin requests without deploying code, preventing unauthorized API access while enabling legitimate integrations. You maintain security and flexibility as your venture scales and partners with new platforms.

2. Step-by-Step Guide

Note: This is a backend security feature managed by platform administrators. Most founders interact with it indirectly through API integrations.

For Platform Administrators:

  1. Access the admin configuration panel - Navigate to your database management interface or admin dashboard where CORS rules are stored.
  2. Add a new origin - Create a new CORS rule entry by specifying the domain that needs API access (e.g., https://partner-platform.com).
  3. Configure allowed methods - Define which HTTP methods (GET, POST, PUT, DELETE) the origin can use with your API endpoints.
  4. Set allowed headers - Specify which request headers the origin can include when calling your APIs.
  5. Define credential policies - Choose whether the origin can send cookies or authorization headers with requests.
  6. Test the configuration - Make a test API call from the specified origin to verify CORS headers are correctly applied.
  7. Monitor API access - Use analytics endpoints to track cross-origin requests and identify unauthorized access attempts.

For Founders Using Integrated Tools:

  1. Connect your tool - When integrating third-party platforms (like analytics tools or CRM systems), provide your API domain.
  2. Verify connection - The system automatically validates CORS settings when external tools attempt to connect.
  3. Check integration status - If connection fails, contact support to ensure the external domain is whitelisted in the CORS configuration.

3. Common Questions

Q: Why would my API integration fail with a CORS error?
A: The external platform’s domain isn’t whitelisted in the CORS system. This security measure blocks unauthorized access. Contact your administrator to add the domain to the allowed origins list. Q: Can I whitelist multiple subdomains at once?
A: Yes. Configure wildcard patterns (like *.partner-platform.com) in your CORS rules to allow all subdomains under a parent domain. This simplifies management for partners with multiple environments. Q: How does this affect my mobile app integrations?
A: Mobile apps don’t face CORS restrictions since they make direct API calls, not browser-based requests. CORS only applies to web applications making cross-origin requests from browsers. Q: What happens if I remove an origin from the whitelist?
A: All API requests from that domain immediately fail with CORS errors. Remove origins carefully and notify integration partners before making changes to avoid service disruptions. Q: How quickly do CORS configuration changes take effect?
A: Changes apply immediately since the system reads from the database on each request. No deployment or cache clearing required - updates are live as soon as you save them.

4. Troubleshooting

Issue: External integration reports “CORS policy blocked” errors
Solution: Verify the external domain is added to your CORS whitelist with the correct protocol (https vs http). Check that allowed methods include the HTTP verbs your integration uses. Test with browser developer tools to see the exact origin being blocked. Issue: Wildcard domain patterns aren’t working as expected
Solution: Confirm your wildcard syntax matches your database schema requirements. Some configurations require explicit wildcard notation (like *.domain.com), while others may need individual subdomain entries. Review your CORS rule documentation. Issue: API calls work from Postman but fail from the browser
Solution: Postman doesn’t enforce CORS policies, but browsers do. This indicates a CORS configuration issue, not an API problem. Add your web application’s domain to the whitelist and ensure preflight OPTIONS requests are handled correctly. Issue: Credentials aren’t being sent with cross-origin requests
Solution: Enable the “credentials allowed” flag for the specific origin in your CORS configuration. Both the server CORS settings and client request must specify credentials support - coordinate with your integration partner to include credentials: 'include' in their API calls. API Analytics Dashboard (/api/v1/analytics/dashboard) - Monitor which origins are making API requests, track failed CORS attempts, and identify unauthorized access patterns. Use this data to refine your CORS whitelist and improve security posture. Developer Dashboard (/developerdashboard) - Manage API keys and review integration documentation. When onboarding new external tools, reference this dashboard to understand which endpoints require CORS configuration and how to test connectivity. Webhook Management (/api/v1/webhook/*) - Configure webhooks that work alongside your CORS rules. While webhooks push data to external systems (server-to-server), CORS controls browser-based pulls. Together, they enable secure bidirectional integrations with partner platforms.