# API CORS Preflight and Browser Agent Requests
Status: public
Confidence: medium (0.725) (verified)
Last verified: 2026-06-02
Generation: ai_structured


## TL;DR

CORS and preflight behavior explain why a browser-based agent may fail to call an API that works from curl or a server.

## Core Explanation

Agents running in a browser inherit browser security rules. A request with custom headers, credentials, or non-simple methods can require a preflight exchange before the actual request. If the server or edge function does not answer the preflight with the right headers, the browser blocks the call.

The agent should inspect the request origin, credentials mode, method, headers, OPTIONS response, and CORS response headers. A CORS failure is often a policy mismatch, not an API authentication failure.

## Source-Mapped Facts

- MDN documentation describes CORS as using HTTP headers to let a server indicate which origins are permitted to load resources. ([source](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CORS))
- MDN Fetch API documentation describes credentials in fetch requests and CORS interaction. ([source](https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API/Using_Fetch))
- Cloudflare Workers documentation provides an example of adding CORS headers to responses. ([source](https://developers.cloudflare.com/workers/examples/cors-header-proxy/))

## Further Reading

- [MDN CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CORS)
- [MDN Using Fetch](https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API/Using_Fetch)
- [Cloudflare Workers CORS Headers](https://developers.cloudflare.com/workers/examples/cors-header-proxy/)