CORS and caching

CORS

Cross-origin browser calls are allowed. Preflight OPTIONS returns 204 with Access-Control-Allow-Origin: *, methods GET, POST, OPTIONS, and allowed headers Content-Type, Authorization, X-Api-Key. Because authentication is header-based, you should still avoid exposing workspace API keys in public front-end code; call the API from your backend when possible.

Caching and ETag

Successful JSON responses may include an ETag and Cache-Control: public, s-maxage=86400, stale-while-revalidate=604800, max-age=3600. Reuse the same auth headers and send If-None-Match with the previous ETag to obtain 304 Not Modified when the payload is unchanged (saves bandwidth; response body is empty).

Responses include Vary: Accept-Encoding, Authorization, X-Api-Keyso shared caches do not serve one client's result to another.

Disabling cache

Append ?nocache=true to the request URL (GET or POST) to skip ETag generation and use Cache-Control: private, no-store instead. Use this when debugging or when identical text must always hit a fresh detection path.

Timing header

Responses include X-Response-Time-Ms with server-side processing time in milliseconds (rounded), including error responses.