Claude API

How do you handle CORS issues when calling the Claude API?

QUICK ANSWER

Do not call the Claude API directly from client-side browser scripts, as it will trigger CORS policy blocks and expose your API keys. Instead, implement a secure proxy backend endpoint to handle the requests.

Security and CORS Setup

Anthropic intentionally blocks CORS requests from client browsers to prevent api key exfiltration. Set up a simple Express.js proxy on your server to handle calls safely:

app.post("/api/chat", async (req, res) => {
  const response = await fetch("https://api.anthropic.com/v1/messages", {
    method: "POST",
    headers: {
      "x-api-key": process.env.ANTHROPIC_API_KEY,
      "anthropic-version": "2023-06-01",
      "content-type": "application/json"
    },
    body: JSON.stringify(req.body)
  });
  const data = await response.json();
  res.json(data);
});
Verified against: Anthropic Security Best Practices