CORS hides payment headers

Quirk · GET /api/x402/cors-hides-headers · Web / HTTP Layer

Does not expose the PAYMENT-REQUIRED and PAYMENT-RESPONSE headers via CORS.

Explanation

The server does not expose the PAYMENT-REQUIRED and PAYMENT-RESPONSE headers via CORS, so browser-based clients cannot read the challenge or receipt. The merchant must add these headers to Access-Control-Expose-Headers. The same allowlist discipline applies at the edge: a CDN or API gateway that strips headers not on its allowlist can hide the payment headers even when CORS is correct (see the Edge / CDN Controls category).

What to watch

Browser clients cannot read the challenge or the receipt.

Facilitator

Settled against the live Radius testnet facilitator (https://facilitator.testnet.radiustech.xyz). A valid payment runs a real /verify and /settle on-chain.

Metadata

Back to catalog