API docs

Use the managed proxy in minutes.

Use the hosted API when you want API keys, daily rate limits, request logs, and a dashboard. Self-host the same Go runtime when you want full control.

Sign in and create a key Machine-readable docs GitHub

Quickstart

Hosted API

For teams that want keys, rate limits, and a hosted control plane.

  1. Sign in with your email.
  2. Create an API key in the dashboard.
  3. Use ?key=... in browser requests, or X-API-Key server-side.
curl "https://api.corsproxy.dev/proxy?url=https://api.github.com/users/octocat&key=sk_live_..."

Self-hosted

For teams that want the same proxy flow on their own infrastructure.

git clone https://github.com/melihbirim/corsproxy
cd corsproxy
go run main.go

Read the self-hosting guide →

Core request format

All hosted proxy requests hit the public proxy endpoint with the upstream URL as a query parameter.

GET /proxy?url=https://example.com/data.json&key=sk_live_...

# or, for server-side callers
X-API-Key: sk_live_...

The service adds CORS headers, tracks usage per key, and enforces your plan's daily limit. Free-plan browser keys include localhost plus one additional allowed origin.

Switching from another CORS proxy

The public hosted path is /proxy?url=.... If your current integration already sends the target URL as a url query parameter, you can usually migrate by replacing only the proxy base URL and appending your key query parameter or X-API-Key header.

Before: https://your-current-proxy.example/proxy?url=https://api.example.com/data
After:  https://api.corsproxy.dev/proxy?url=https://api.example.com/data&key=sk_live_...

The versioned path /v1/proxy remains supported, but /proxy is the compatibility path to use in client code.

Authentication

Create and manage API keys in the dashboard. Keys are shown only once when created.

Operational notes

Managed upstream headers

If a browser app should call a third-party API through corsproxy.dev without exposing the third-party credential, create the devproxy API key with an upstream rule.

POST /v1/api-keys
Authorization: Bearer <jwt>
Content-Type: application/json

{
  "name": "OpenAI browser key",
  "allowed_origins": ["https://app.example.com"],
  "upstream_rules": [
    {
      "target_host": "api.openai.com",
      "path_prefix": "/v1/",
      "headers": {
        "Authorization": "Bearer sk-provider-secret",
        "OpenAI-Project": "proj_123"
      }
    }
  ]
}

The browser sends only the devproxy key. corsproxy.dev injects the configured upstream headers when the target host and path match.

Need the full endpoint list?

Three formats — pick whichever your tooling speaks.

Want service status instead? corsproxy.dev/status shows live health + the components we depend on.

Read the blog for tutorials, or browse the glossary for definitions.