How do I fix CORS issues?
The MailBlastr API is server-to-server. Calling it from a browser triggers CORS errors and leaks your key — proxy through your own backend instead.
If you are seeing CORS errors calling MailBlastr, it is because the API is server-to-server by design. It is not meant to be called directly from a browser, and the fix is not to work around CORS — it is to move the call to your backend.
The error usually surfaces in the browser console when you call the API from client-side code, and looks like this:
Access to fetch at 'https://api.mailblastr.com/emails'
from origin 'http://localhost:3000' has been blocked by CORS policy:
Response to preflight request doesn't pass access control check:
No 'Access-Control-Allow-Origin' header is present on the requested resource.Why browser calls fail
- It leaks your API key. Any request from a browser ships your
mb_key to the user, where it can be read from network tools or page source. Anyone who copies it can send email as you. - It hits CORS. The API does not send permissive cross-origin headers for arbitrary web origins, so the browser blocks the response.
The fix: proxy through your backend
Send from your own server. Your front end calls your endpoint (authenticated as your user), and your server — holding the API key in a secret — calls MailBlastr:
// POST /api/contact on YOUR server — the browser calls this, not MailBlastr.
app.post('/api/contact', async (req, res) => {
// Validate / authenticate the request as your own user first.
const r = await fetch('https://api.mailblastr.com/emails', {
method: 'POST',
headers: {
// Key lives only on the server, in an env var or secret manager.
'Authorization': `Bearer ${process.env.MAILBLASTR_API_KEY}`,
'Content-Type': 'application/json',
},
body: JSON.stringify({
from: 'Acme <hello@yourdomain.com>',
to: ['support@acme.com'],
subject: 'New contact form submission',
text: req.body.message,
}),
});
res.status(r.status).json(await r.json());
});This keeps the key out of the browser entirely and sidesteps CORS, because the cross-origin request is now between two servers. See How to handle API keys securely.