I've hit a snag. While requests to the API will work when using curl, NodeJS, Python, etc, they won't work from within a browser. This is because browsers make an OPTIONS request before the main request (known as the "CORS Preflight") and the server does not recognise OPTIONS requests (it responds with "403 Bad Method"). The request to /api/request_token does work because it is a "Simple request", but the request to /api/nodes fails because it has an Authorization header (which means it doesn't count as a "Simple request"). A good explanation about this can be found .

?

To fix this, the server should respond to OPTIONS requests with the header Access-Control-Allow-Origin: *

?

Even a different port on the same server counts as a different origin, so the error persists even if I serve the page from my node machine, as the web server can't use the same port as BPQ's web UI.