CORS

CORS (Cross-Origin Resource Sharing) is a browser rule: a page on yourapp.com can only call <project>.ichibase.net if the server says that origin is allowed. ichibase is default-deny— you add your web app's origins in the dashboard before the browser will let calls through.

Who needs this

• Web apps (React, Next.js client components, Vue, plain browser JS) — yes. Until you allow-list the origin, every cross-origin request is blocked by the browser.
• Native apps (React Native, Flutter, servers, scripts, cURL) — no. CORS is a browser-only concept; these are unaffected and work immediately.

Allowing your origins

Open Project → Settings → CORS and add one origin per line. An origin is scheme://host[:port] with no path or trailing slash. Add your dev origin yourself — localhost is not added automatically.

https://yourapp.com
https://www.yourapp.com
https://*.vercel.app        # wildcard: matches one label (preview deploys)
http://localhost:5173       # your dev server
*                           # a single "*" line = allow all origins

A * in an origin stands in for exactly one DNS label or a port number, so https://*.vercel.app and http://localhost:* work. A line that is just * allows every origin.

What happens under the hood

Your SDK code doesn't change — CORS is invisible to it. When a browser makes a cross-origin request with a custom header (like Authorization), it first sends a preflight OPTIONS. If the origin is on your list, the edge answers with the matching Access-Control-Allow-Originand the real request proceeds; if not, no header is sent and the browser blocks it. Allowed responses are cached for a day so the preflight doesn't repeat on every call.