Skip to main content

Feature 056: White-Label CORS System (Database-Driven)

1. Overview

The White-Label CORS System lets you control which domains can access your Fiftyknots API endpoints. You manage approved domains through a database-driven interface - no code deployments required. This matters when you integrate Fiftyknots into your own branded tools or need to grant API access to specific partners while maintaining security.

2. Step-by-Step Guide

Note: This feature operates at the platform level. Configuration requires admin access or assistance from the Fiftyknots team.
  1. Access the CORS configuration - Contact your Fiftyknots account manager or access the admin panel if you have elevated permissions. The system stores allowed origins in the platform database.
  2. Add a new origin - Submit your domain (e.g., https://yourbrand.com) for CORS approval. The system validates the format and checks for duplicates.
  3. Configure origin settings - Specify whether the origin should support credentials (cookies, authorization headers) and which HTTP methods it can use (GET, POST, PUT, DELETE, etc.).
  4. Test the integration - Make a test API call from your approved domain. The platform checks the database in real-time and returns appropriate CORS headers if your origin is approved.
  5. Monitor and update - View active origins in your configuration panel. Add new domains or remove outdated ones as your integration needs change. Updates take effect immediately without redeploying the API.

3. Common Questions

Q: How quickly do CORS changes take effect?
A: Immediately. The system checks the database on every request, so approved domains work within seconds of configuration. No cache clearing or service restarts required. Q: Can I whitelist localhost for development?
A: Yes. Add http://localhost:3000 (or your dev port) as an approved origin. This lets your local development environment call Fiftyknots APIs while you build your integration. Q: What happens if I call from an unapproved domain?
A: The API returns a CORS error, and your browser blocks the response. The request never reaches the endpoint logic - the security check happens first. You’ll see the error in your browser console. Q: Can I use wildcards for subdomains?
A: The system supports specific origins only by default. If you need *.yourdomain.com access, contact your account manager to discuss your use case. Broad wildcards create security risks. Q: Do all API endpoints respect CORS rules?
A: Yes. The CORS check applies platform-wide before any endpoint logic runs. Whether you’re accessing /api/v1/dashboard/overview or /api/v1/job/, the same origin validation occurs.

4. Troubleshooting

Issue: “CORS policy blocked” error in browser console
Solution: Verify your domain exactly matches the approved origin in the system. https://app.yourdomain.com differs from https://yourdomain.com. Check for trailing slashes, www prefixes, and port numbers. Issue: Requests work in Postman but fail from your web app
Solution: This is expected CORS behavior. Postman doesn’t enforce CORS - browsers do. Add your web app’s domain to the approved origins list to fix browser-based requests. Issue: OPTIONS preflight requests failing
Solution: Ensure your approved origin includes the specific methods your app uses. If you’re sending PUT or DELETE requests, verify those methods are enabled for your origin. POST and GET work by default. Issue: Credentials (cookies) not being sent
Solution: Both your origin must be configured to support credentials in the CORS system, and your client code must set credentials: 'include' in fetch requests or withCredentials: true in axios. Developer Dashboard - After configuring CORS access, use the Developer Dashboard (/developerdashboard) to monitor API usage from your approved domains, track error rates, and analyze performance metrics. Developer Analytics - Track how your white-labeled integration performs with Developer Analytics (/developeranalytics). See which endpoints your approved domains call most frequently and identify optimization opportunities. API Authentication (Session Management) - CORS controls where requests come from, but you still need proper authentication. Review the session endpoints (/api/v1/auth/session, /api/v1/auth/sessions) to understand how authentication works with your approved origins.