{"openapi":"3.1.0","info":{"title":"CORS Header Checker","description":"Sends a real request to any URL you provide, attaches an Origin header, and reads back all six standard cross-origin permission headers the server returns. Tells you whether cross-origin requests are enabled at all, whether your specific origin is permitted, and shows you every permission value exactly as the server sent it. Perfect for figuring out why a browser is blocking a request, confirming a freshly deployed service is configured correctly, or auditing whether a public API allows credentialed cross-origin calls.","version":"1.0.0","contact":{"name":"_done","url":"https://forms.gle/5KzuSFH7p8hHtDmz7","email":"info@underscoredone.com"},"x-openapi-url":"https://cors-header-checker.underscoredone.com/openapi.json","x-logo":{"url":"https://underscoredone.com/logo.png","altText":"_done"},"x-guidance":"POST a JSON body with a required 'url' field (the endpoint to probe) and an optional 'origin' field (defaults to https://example.com). The response always includes 'cors_enabled' (boolean, true if any CORS header was found), 'origin_allowed' (boolean, true if the tested origin would be permitted by the browser), and a 'headers' object with all six Access-Control-* values as strings or null when absent. If the target server could not be reached, the response includes an 'error' string and 'status' is null — this is still a 200 response from this API, not an error. Only raise 400 for malformed input such as a non-HTTP URL. Use 'origin_allowed' to decide whether a frontend at that origin can call the URL. Use 'cors_enabled' to detect servers that return no CORS headers at all.","x-ai-instructions":"POST a JSON body with a required 'url' field (the endpoint to probe) and an optional 'origin' field (defaults to https://example.com). The response always includes 'cors_enabled' (boolean, true if any CORS header was found), 'origin_allowed' (boolean, true if the tested origin would be permitted by the browser), and a 'headers' object with all six Access-Control-* values as strings or null when absent. If the target server could not be reached, the response includes an 'error' string and 'status' is null — this is still a 200 response from this API, not an error. Only raise 400 for malformed input such as a non-HTTP URL. Use 'origin_allowed' to decide whether a frontend at that origin can call the URL. Use 'cors_enabled' to detect servers that return no CORS headers at all.","x-provider":"_done — single-purpose utility APIs for developers and AI agents. Pay per call with USDC on Base.","x-pricing":{"model":"pay-per-call","currency":"USDC","network":"Base Mainnet","price":"$0.01"},"x-keywords":["network","cors","header","checker","cross-origin","access-control","cors-debug","browser-blocked","preflight","origin-allowed","cors-audit","utility","api","ai-agent","pay-per-call","usdc","x402"],"x-category":"network","x-provider-url":"https://underscoredone.com","x-402":{"price":"$0.01","network":"eip155:8453","asset":"0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913","pay_to":"0xE9740820225B3918b4ddd1292C7cA4Ca0e2C2F08","facilitator":"https://api.cdp.coinbase.com/platform/v2/x402","scheme":"exact","description":"Sends a real request to any URL you provide, attaches an Origin header, and reads back all six standard cross-origin permission headers the server returns. Tells you whether cross-origin requests are enabled at all, whether your specific origin is permitted, and shows you every permission value exactly as the server sent it. Perfect for figuring out why a browser is blocking a request, confirming a freshly deployed service is configured correctly, or auditing whether a public API allows credentialed cross-origin calls.","mime_type":"application/json"}},"paths":{"/check":{"post":{"tags":["Network"],"summary":"Check which cross-origin permissions a URL grants for a given origin","description":"Send a real HTTP request to any web address with an Origin header attached, and report back every cross-origin permission header the server returns.","operationId":"handler_check_post","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/CheckRequest"},"examples":{"typical":{"summary":"Typical input","value":{"url":"https://api.github.com","origin":"https://myapp.com"}},"zero_or_empty":{"summary":"Zero or empty input","value":{"url":"https://api.github.com"}},"negative_or_invalid":{"summary":"Invalid input (400 error)","value":{"url":"not-a-url","origin":"https://myapp.com"}},"large":{"summary":"Large input","value":{"url":"https://httpbin.org/get","origin":"https://a-very-long-subdomain-name.some-enterprise-domain.internal.example.com"}}}}},"required":true},"responses":{"200":{"description":"Successful response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/CheckResponse"},"examples":{"success":{"summary":"Successful response","value":{"api_version":"1.0.0","url":"https://api.github.com","origin_tested":"https://myapp.com","status":200,"cors_enabled":true,"origin_allowed":false,"headers":{"access-control-allow-origin":"https://github.com","access-control-allow-methods":null,"access-control-allow-headers":null,"access-control-allow-credentials":null,"access-control-expose-headers":"ETag, Link, Location","access-control-max-age":null},"error":null}}}}}},"422":{"description":"Unprocessable — a required field is missing or the wrong type. Check the detail field for specifics.","content":{"application/json":{"schema":{"type":"object","properties":{"detail":{"type":"array"}}}}}},"402":{"description":"Payment required. Send a signed USDC payment on Base Mainnet using the x402 protocol.","headers":{"X-Payment-Response":{"description":"x402 payment challenge — base64-encoded JSON with payment details.","schema":{"type":"string"}}}},"400":{"description":"Bad request — your input failed validation or could not be processed. Check the detail field for specifics.","content":{"application/json":{"schema":{"type":"object","properties":{"detail":{"type":"string"}}}}}}},"x-ai-instructions":"POST a JSON body with a required 'url' field (the endpoint to probe) and an optional 'origin' field (defaults to https://example.com). The response always includes 'cors_enabled' (boolean, true if any CORS header was found), 'origin_allowed' (boolean, true if the tested origin would be permitted by the browser), and a 'headers' object with all six Access-Control-* values as strings or null when absent. If the target server could not be reached, the response includes an 'error' string and 'status' is null — this is still a 200 response from this API, not an error. Only raise 400 for malformed input such as a non-HTTP URL. Use 'origin_allowed' to decide whether a frontend at that origin can call the URL. Use 'cors_enabled' to detect servers that return no CORS headers at all.","x-guidance":"POST a JSON body with a required 'url' field (the endpoint to probe) and an optional 'origin' field (defaults to https://example.com). The response always includes 'cors_enabled' (boolean, true if any CORS header was found), 'origin_allowed' (boolean, true if the tested origin would be permitted by the browser), and a 'headers' object with all six Access-Control-* values as strings or null when absent. If the target server could not be reached, the response includes an 'error' string and 'status' is null — this is still a 200 response from this API, not an error. Only raise 400 for malformed input such as a non-HTTP URL. Use 'origin_allowed' to decide whether a frontend at that origin can call the URL. Use 'cors_enabled' to detect servers that return no CORS headers at all.","x-payment-info":{"price":{"fixed":{"mode":"fixed","currency":"USD","amount":"0.01"}},"protocols":[{"x402":{}}]}}}},"components":{"schemas":{"CheckRequest":{"properties":{"url":{"type":"string","title":"Url","description":"The full web address of the endpoint you want to check — must start with http:// or https://."},"origin":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Origin","description":"The website address you want to test cross-origin access from, for example https://myapp.com. Defaults to https://example.com if you leave it out.","default":"https://example.com"}},"type":"object","required":["url"],"title":"CheckRequest","example":{"origin":"https://myapp.com","url":"https://api.github.com"}},"CheckResponse":{"properties":{"api_version":{"type":"string","title":"Api Version","description":"API version","default":"1.0.0"},"url":{"type":"string","title":"Url","description":"The web address that was checked."},"origin_tested":{"type":"string","title":"Origin Tested","description":"The origin address that was used in the check."},"status":{"anyOf":[{"type":"integer"},{"type":"null"}],"title":"Status","description":"The HTTP status code the server responded with, or null if the server could not be reached."},"cors_enabled":{"type":"boolean","title":"Cors Enabled","description":"True if the server sent at least one cross-origin permission header back."},"origin_allowed":{"type":"boolean","title":"Origin Allowed","description":"True if a browser would allow your origin to make requests to this URL based on the server's response."},"headers":{"additionalProperties":true,"type":"object","title":"Headers","description":"All six standard cross-origin permission headers as returned by the server. Each value is the exact text the server sent, or null if the server did not include that header."},"error":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Error","description":"A plain-English description of what went wrong if the server could not be reached, or null if everything worked fine."}},"type":"object","required":["url","origin_tested","cors_enabled","origin_allowed","headers"],"title":"CheckResponse","example":{"api_version":"1.0.0","cors_enabled":true,"headers":{"access-control-allow-origin":"https://github.com","access-control-expose-headers":"ETag, Link, Location"},"origin_allowed":false,"origin_tested":"https://myapp.com","status":200,"url":"https://api.github.com"}},"HTTPValidationError":{"properties":{"detail":{"items":{"$ref":"#/components/schemas/ValidationError"},"type":"array","title":"Detail"}},"type":"object","title":"HTTPValidationError"},"ValidationError":{"properties":{"loc":{"items":{"anyOf":[{"type":"string"},{"type":"integer"}]},"type":"array","title":"Location"},"msg":{"type":"string","title":"Message"},"type":{"type":"string","title":"Error Type"},"input":{"title":"Input"},"ctx":{"type":"object","title":"Context"}},"type":"object","required":["loc","msg","type"],"title":"ValidationError"}},"securitySchemes":{"siwx":{"type":"apiKey","in":"header","name":"SIGN-IN-WITH-X","description":"CAIP-122 wallet signature for repeat access after payment"}}},"servers":[{"url":"https://cors-header-checker.underscoredone.com","description":"Production"}]}