CORS hides payment headers
Quirk · GET /api/x402/cors-hides-headers · Web / HTTP Layer
Does not expose the PAYMENT-REQUIRED and PAYMENT-RESPONSE headers via CORS.
Explanation
The server does not expose the PAYMENT-REQUIRED and PAYMENT-RESPONSE headers via CORS, so browser-based clients cannot read the challenge or receipt. The merchant must add these headers to Access-Control-Expose-Headers. The same allowlist discipline applies at the edge: a CDN or API gateway that strips headers not on its allowlist can hide the payment headers even when CORS is correct (see the Edge / CDN Controls category).
What to watch
Browser clients cannot read the challenge or the receipt.
Facilitator
Settled against the live Radius testnet facilitator (https://facilitator.testnet.radiustech.xyz). A valid payment runs a real /verify and /settle on-chain.
Metadata
- Status: Quirk
- Method: GET
- Price: 0.0001 (100 atomic)
- Responsible party: Merchant