# How do I fix CORS issues?

> The MailBlastr API is server-to-server. Calling it from a browser triggers CORS errors and leaks your key — proxy through your own backend instead.

If you are seeing CORS errors calling MailBlastr, it is because the API is **server-to-server** by design. It is not meant to be called directly from a browser, and the fix is not to work around CORS — it is to move the call to your backend.

The error usually surfaces in the browser console when you call the API from client-side code, and looks like this:

```text
Access to fetch at 'https://api.mailblastr.com/emails'
from origin 'http://localhost:3000' has been blocked by CORS policy:
Response to preflight request doesn't pass access control check:
No 'Access-Control-Allow-Origin' header is present on the requested resource.
```

## Why browser calls fail

- **It leaks your API key.** Any request from a browser ships your `mb_` key to the user, where it can be read from network tools or page source. Anyone who copies it can send email as you.
- **It hits CORS.** The API does not send permissive cross-origin headers for arbitrary web origins, so the browser blocks the response.

> **Warning:** Disabling CORS, using a public CORS proxy, or embedding your key in front-end code does not make this safe — it just exposes your key. Never put a MailBlastr API key in client-side code.

## The fix: proxy through your backend

Send from your own server. Your front end calls **your** endpoint (authenticated as your user), and your server — holding the API key in a secret — calls MailBlastr:

**Your backend (Node.js)**

```js
// POST /api/contact on YOUR server — the browser calls this, not MailBlastr.
app.post('/api/contact', async (req, res) => {
  // Validate / authenticate the request as your own user first.
  const r = await fetch('https://api.mailblastr.com/emails', {
    method: 'POST',
    headers: {
      // Key lives only on the server, in an env var or secret manager.
      'Authorization': `Bearer ${process.env.MAILBLASTR_API_KEY}`,
      'Content-Type': 'application/json',
    },
    body: JSON.stringify({
      from: 'Acme <hello@yourdomain.com>',
      to: ['support@acme.com'],
      subject: 'New contact form submission',
      text: req.body.message,
    }),
  });
  res.status(r.status).json(await r.json());
});
```

This keeps the key out of the browser entirely and sidesteps CORS, because the cross-origin request is now between two servers. See [How to handle API keys securely](https://www.mailblastr.com/docs/kb/handling-api-keys).
