Access to XMLHttpRequest has been blocked by CORS policy - 401 (Unauthorized)

Question

I'm using ShipStation API to create order, but getting error Access to XMLHttpRequest has blocked, The code provided below is generated on https://www.shipstation.com/developer-api/#/reference/orders/createupdate-order/create/update-order?console=1 so I'm using it on https://tampermonkey.net/ extension, the funcion is called on button click error screenshot

 (function () {
    'use strict';
    const $ = window.jQuery;
    $(document).ready(function () {

        const AUTHKEY = '112233'
        $("#send").on("click", sendRequest)


        const sendRequest = () => {
            var request = new XMLHttpRequest();

            request.open('POST', 'https://ssapi.shipstation.com/orders/createorder');

            request.setRequestHeader('Content-Type', 'application/json');
            request.setRequestHeader('Authorization', AUTHKEY);

            request.onreadystatechange = function () {
                if (this.readyState === 4) {
                    console.log('Status:', this.status);
                    console.log('Headers:', this.getAllResponseHeaders());
                    console.log('Body:', this.responseText);
                }
            };
            var body = { 'data is correct just deleted for now': '' };
            request.send(JSON.stringify(body));
        }
    });
})();

Is that endpoint meant to be consumed client side(ie through browser js) or server side? Some apis endpoints arent meant for client side as certain details need to be sent with the request like secret api keys which would be easily visible when used client side. If it is meant for client side check you are using the correct cors mode in the request per the error message — Patrick Evans, Apr 27 '19 at 01:34
Hi, yes I'm providing API Key and Secret key in 'Authorization' and that's what I want to know how to provide correct cors mode in the request — GU CODES, Apr 27 '19 at 10:18
You dont do that client side if you are needing to use a secret key. It means that you are meant to use that api on the server through whatever language you are using like curl with php — Patrick Evans, Apr 27 '19 at 11:29

score 0 · Answer 1 · answered Apr 27 '19 at 14:34

0

The API is not made for use in Clientside. make a callto your own backend and send it from there.

Its very dangerous to publish your APIKEY

answered Apr 27 '19 at 14:34

Nicolai Kamphenkel

427
4
11

Access to XMLHttpRequest has been blocked by CORS policy - 401 (Unauthorized)

1 Answers1