diff --git a/src/main/java/org/qortal/api/Security.java b/src/main/java/org/qortal/api/Security.java index 8bfcaadf..6d9dc949 100644 --- a/src/main/java/org/qortal/api/Security.java +++ b/src/main/java/org/qortal/api/Security.java @@ -36,6 +36,10 @@ public abstract class Security { // We require an API key to be passed String passedApiKey = request.getHeader(API_KEY_HEADER); + if (passedApiKey == null) { + // Try query string - this is needed to avoid a CORS preflight. See: https://stackoverflow.com/a/43881141 + passedApiKey = request.getParameter("apiKey"); + } if (passedApiKey == null) { throw ApiExceptionFactory.INSTANCE.createCustomException(request, ApiError.UNAUTHORIZED, "Missing 'X-API-KEY' header"); }