Cross-Origin Resource Sharing (CORS)

While the Sugar Integrate UI utilizes browser-based cross-origin resource sharing (CORS) protections, those protections are bypassed if you make calls to any of our APIs which include /api-v2. Because the Sugar Integrate APIs do not offer any inherent CORS protection, users and developers are responsible for the management of any necessary CORS-related protections. As always, we strongly recommend you implement any relevant best practices to ensure security for your account, resources, etc.

Things to Know

Any calls made to the Sugar Integrate API server (any calls to our server including /api-v2, regardless of environment) will not return the Access-Control-Allow-* headers associated with the response header, regardless of whether the client sends the header or not.

When the HTTP request provides the Origin header and the origin is whitelisted from a CORS perspective by the API, return any Access-Control-* headers with the Origin header's value. This is an instance of same origin policy (SOP); see Additional Information for more.

Troubleshooting CORS Issues

Issues or errors regarding CORS are likely being caused by the connecting application, not Sugar Integrate. To troubleshoot, check that the application you are attempting to connect with is configured to allow communication outside of its own domain.

Additional Information

To learn more about implementing best practices for CORS protection or related information, contact Customer Success or see the following documentation: