CORS Policy Issue with Umami Cloud API Access

[jerryc127]

Describe the Bug

I am writing to inquire about a CORS policy issue I encountered while attempting to use the Umami Cloud API. I am currently registered under the free plan, and I am attempting to access the API with the following code:

const ddf = async () => {
  let headersList = {
    "Accept": "application/json",
    "x-umami-api-key": "xxxx"
  }
 
  let response = await fetch("https://api.umami.is/v1/websites/54fdbb4b-9a17-4bef-9ede-73cbbbc12fa5/stats?startAt=0000000000&endAt=1723571288005", { 
    method: "GET",
    headers: headersList
  });
 
  let data = await response.text();
  console.log(data);
}
ddf();

However, when I attempt to execute this code, I am encountering the following error in the console:

Access to fetch at 'https://api.umami.is/v1/websites/54fdbb4b-9a17-4bef-9ede-73cbbbc12fa5/stats?startAt=0000000000&endAt=1723571288005' from origin 'https://xxxxx.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

could you provide guidance on how to resolve this issue?

Database

Umami Cloud

Relevant log output

No response

Which Umami version are you using? (if relevant)

No response

Which browser are you using? (if relevant)

Edge

How are you deploying your application? (if relevant)

No response

[franciscao633]

The API should work without with signing up for a pro plan. I was able to run your code without any issues only changing the website ID and API key. Have your tried running it with he various CORS headers?

[MichaelBelgium]

This is the same case with self hosted.

I had to add these to apache config

        Header unset Access-Control-Allow-Origin
        Header always set Access-Control-Allow-Origin "<website you're trying to fetch from>"
        Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"
        Header always set Access-Control-Max-Age "1000"
        Header always set Access-Control-Allow-Headers "x-requested-with, Content-Type, origin, authorization, accept, client-security-token"

        RewriteEngine On
        RewriteCond %{REQUEST_METHOD} OPTIONS
        RewriteRule ^(.*)$ $1 [R=200,L]

[mikecao]

@jerryc127 We've pushed out a few updates. Are you still having issues?

[jerryc127]

@jerryc127 We've pushed out a few updates. Are you still having issues?

yes, it another error

[github-actions]

This issue is stale because it has been open for 60 days with no activity.

[jerryc127]

Is there any solution?

[github-actions]

This issue is stale because it has been open for 60 days with no activity.