Cross-Origin Resource Sharing (CORS) is a security measure implemented by all modern browsers that help keeps your navigation secure by preventing attack vectors like Cross-Site Scripting. The Orbit API adheres to the CORS mechanism by only allowing API calls originating from a restricted number of domains.

In practice, this means that you cannot make browser-based API calls from a Single-Page Application. Calling the Orbit API from your React (or Vue, or Angular…) components using client-side fetch or any other client-side JavaScript API library will fail and raise a standard CORS error in your browser’s console.

You can work around this restriction by making your client-side API call into a server-side one:

  • If your Single-Page Application works on top of a dedicated backend, you can implement the Orbit API call in that backend;
  • If your Single-Page Application has no dedicated backend (à la Jamstack), you can leverage Netlify Functions, Vercel Serverless Functions, AWS Lambdas, or similar services to move the API call to the server.