CORS issues when trying out API in swagger UI.

When trying out an API (either in admin portal or in developer portal) you may encounter CORS issues. First of all, you should make sure that your API (either in your backend or via gateway policies) handles CORS correctly and allows calls from our frontend.

In addition, we have noticed another, more subtle problem: If your OpenAPI document is configured to pass the api-key as a query parameter everything should work. But if your OpenAPI document is configured to pass the api-key inside a header, you may encounter unexpected CORS errors. This is most likely because the browser does not include the api-key header in the preflight requests (OPTIONS calls). The preflight requests will then fail, because the gateway rejects them as unauthorized and the browser reports a CORS error. The solution is to make sure that your gateway allows preflight requests even without api-keys. How excatly this is done, depends on your platform, but generally, you want to add some policy to pass through any OPTIONS requests without requiring an api-key.