# Configure CORS for Agent Endpoints

Cross-Origin Resource Sharing (CORS) controls which browser origins, HTTP methods, and request headers are allowed to access a platform-hosted API agent endpoint. CORS configuration is applied at the gateway and takes effect on every deployment.

CORS is enabled by default for API agents. The default configuration allows all origins (`*`) with standard methods and headers, so most browser-based clients work without any changes.

## Prerequisites[​](#prerequisites "Direct link to Prerequisites")

* A platform-hosted API agent created in a project.

## Configure CORS During Deployment[​](#configure-cors-during-deployment "Direct link to Configure CORS During Deployment")

1. Open the AMP Console and select your project.
2. Open the Internal agent you want to configure.
3. Click **Deploy**.
4. Click **Configure & Deploy** on the relevant environment card.
5. In the configuration drawer, scroll to **CORS Configuration**.
6. Verify that **Enable CORS** is turned on.
7. Click **Advanced** to expand the CORS settings.
8. Adjust the settings as needed (see the options below).
9. Deploy the agent.

CORS settings are applied each time you deploy. If you change the configuration later, redeploy the agent for the changes to take effect.

## CORS Settings[​](#cors-settings "Direct link to CORS Settings")

### Allow all origins[​](#allow-all-origins "Direct link to Allow all origins")

When checked, the gateway accepts requests from any origin by setting `Access-Control-Allow-Origin: *`. This is the default.

When unchecked, an **Allowed origins** field appears. Enter each origin as a full URL (e.g. `https://app.example.com`) and press **Enter** to add it as a tag. Only requests from listed origins receive CORS headers.

### Allow credentials[​](#allow-credentials "Direct link to Allow credentials")

When checked, the gateway sets `Access-Control-Allow-Credentials: true`, which allows browsers to send cookies and authorization headers with cross-origin requests.

warning

**Allow credentials** cannot be enabled when **Allow all origins** is checked. A wildcard origin with credentials is rejected by browsers and is blocked at deployment time. To use credentials, uncheck **Allow all origins** and list specific origins instead.

### Allowed methods[​](#allowed-methods "Direct link to Allowed methods")

The HTTP methods the gateway will accept in cross-origin requests. Defaults to `GET`, `POST`, `PUT`, `DELETE`, `PATCH`, `OPTIONS`. Add or remove methods by typing a method name and pressing **Enter**, or clicking the `×` on an existing tag.

### Allowed headers[​](#allowed-headers "Direct link to Allowed headers")

The request headers the gateway will accept in cross-origin requests. Defaults to `authorization`, `Content-Type`, `Origin`, `X-API-Key`. Add or remove headers the same way as methods.

## Disable CORS[​](#disable-cors "Direct link to Disable CORS")

To disable CORS entirely, turn off the **Enable CORS** toggle and redeploy. Preflight `OPTIONS` requests and cross-origin requests will no longer receive CORS headers.

## Test the CORS Configuration[​](#test-the-cors-configuration "Direct link to Test the CORS Configuration")

After deploying, verify the CORS headers with a preflight request:

```
curl -i -X OPTIONS "<agent-invoke-url>" \
  -H "Origin: https://app.example.com" \
  -H "Access-Control-Request-Method: POST" \
  -H "Access-Control-Request-Headers: Content-Type"
```

A correctly configured endpoint returns headers such as:

```
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, PATCH, OPTIONS
Access-Control-Allow-Headers: authorization, Content-Type, Origin, X-API-Key
```

If you configured specific origins, `Access-Control-Allow-Origin` will reflect the requested origin rather than `*`.

## Notes[​](#notes "Direct link to Notes")

* CORS configuration applies to platform-hosted agents only.
* Changes to CORS settings require a redeployment to take effect.