All hosted proxy requests hit the public proxy endpoint with the upstream URL as a query parameter.
GET /proxy?url=https://example.com/data.json&key=sk_live_...
# or, for server-side callers
X-API-Key: sk_live_...
The service adds CORS headers, tracks usage per key, and enforces your plan's daily limit. Free-plan browser keys include localhost plus one additional allowed origin.
Switching from another CORS proxy
The public hosted path is /proxy?url=.... If your current integration already sends the target URL as a url query parameter, you can usually migrate by replacing only the proxy base URL and appending your key query parameter or X-API-Key header.
The versioned path /v1/proxy remains supported, but /proxy is the compatibility path to use in client code.
Authentication
Create and manage API keys in the dashboard. Keys are shown only once when created.
Browser clients: ?key=sk_live_...
Server clients: X-API-Key: sk_live_...
Free-plan browser keys include http://localhost:*, http://127.0.0.1:*, and one additional origin.
Managed upstream headers can be attached to an API key for a specific target_host and optional path_prefix.
Free plan: 100 requests per day.
Usage and status are available in the dashboard.
Operational notes
Private-network targets (RFC 1918, link-local, loopback) are blocked by default.
Managed upstream headers let browser apps call third-party APIs without exposing the third-party key in the browser request.
Header rules should be scoped to the exact upstream host, and ideally to a narrow path prefix.
Usage history is retained for 30 days in the managed product.
Account export and deletion are available from the dashboard.
Managed upstream headers
If a browser app should call a third-party API through corsproxy.dev without exposing the third-party credential, create the devproxy API key with an upstream rule.
The browser sends only the devproxy key. corsproxy.dev injects the configured upstream headers when the target host and path match.
Need the full endpoint list?
Three formats — pick whichever your tooling speaks.
OpenAPI 3.1 spec — openapi.yaml covers every route, auth model, request body, and response shape. Drop it into Stoplight, Swagger UI, Insomnia, or any code generator.
Postman collection — corsproxy.postman_collection.json import it into Postman. Two collection variables (jwt + api_key) and you're ready to call every endpoint.
Live JSON docs — api.corsproxy.dev/v1/docs: machine-readable, always reflects what the deployed worker actually serves.
Want service status instead? corsproxy.dev/status shows live health + the components we depend on.