Configure CORS for Agent Endpoints
Cross-Origin Resource Sharing (CORS) controls which browser origins, HTTP methods, and request headers are allowed to access a platform-hosted API agent endpoint. CORS configuration is applied at the gateway and takes effect on every deployment.
CORS is enabled by default for API agents. The default configuration allows all origins (*) with standard methods and headers, so most browser-based clients work without any changes.
Prerequisites​
- A platform-hosted API agent created in a project.
Configure CORS During Deployment​
- Open the AMP Console and select your project.
- Open the Internal agent you want to configure.
- Click Deploy.
- Click Configure & Deploy on the relevant environment card.
- In the configuration drawer, scroll to CORS Configuration.
- Verify that Enable CORS is turned on.
- Click Advanced to expand the CORS settings.
- Adjust the settings as needed (see the options below).
- Deploy the agent.
CORS settings are applied each time you deploy. If you change the configuration later, redeploy the agent for the changes to take effect.
CORS Settings​
Allow all origins​
When checked, the gateway accepts requests from any origin by setting Access-Control-Allow-Origin: *. This is the default.
When unchecked, an Allowed origins field appears. Enter each origin as a full URL (e.g. https://app.example.com) and press Enter to add it as a tag. Only requests from listed origins receive CORS headers.
Allow credentials​
When checked, the gateway sets Access-Control-Allow-Credentials: true, which allows browsers to send cookies and authorization headers with cross-origin requests.
Allow credentials cannot be enabled when Allow all origins is checked. A wildcard origin with credentials is rejected by browsers and is blocked at deployment time. To use credentials, uncheck Allow all origins and list specific origins instead.
Allowed methods​
The HTTP methods the gateway will accept in cross-origin requests. Defaults to GET, POST, PUT, DELETE, PATCH, OPTIONS. Add or remove methods by typing a method name and pressing Enter, or clicking the × on an existing tag.
Allowed headers​
The request headers the gateway will accept in cross-origin requests. Defaults to authorization, Content-Type, Origin, X-API-Key. Add or remove headers the same way as methods.
Disable CORS​
To disable CORS entirely, turn off the Enable CORS toggle and redeploy. Preflight OPTIONS requests and cross-origin requests will no longer receive CORS headers.
Test the CORS Configuration​
After deploying, verify the CORS headers with a preflight request:
curl -i -X OPTIONS "<agent-invoke-url>" \
-H "Origin: https://app.example.com" \
-H "Access-Control-Request-Method: POST" \
-H "Access-Control-Request-Headers: Content-Type"
A correctly configured endpoint returns headers such as:
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, PATCH, OPTIONS
Access-Control-Allow-Headers: authorization, Content-Type, Origin, X-API-Key
If you configured specific origins, Access-Control-Allow-Origin will reflect the requested origin rather than *.
Notes​
- CORS configuration applies to platform-hosted agents only.
- Changes to CORS settings require a redeployment to take effect.