Use this little website to test if a URL is setup correctly to work with CORS.
Shareable link: https://cors-test.codehappy.dev/?url=https%3A%2F%2Fsite-api.datocms.com%2Fediting-sessions%2F&origin=https%3A%2F%2Fsitename.admin.datocms.com%2F&method=get
This url can only be loaded by pages that match https://sitename.admin.datocms.com/. If you're trying to load it from a different origin and it's not working, you'll need to change it so the access-control-allow-origin header is set to *.
These are the response headers received when making the request.
access-control-allow-credentials: true
access-control-allow-headers: authorization, content-type, x-environment, x-organization, x-site-domain, x-api-version, user-agent, x-session-id, x-include-drafts, x-exclude-invalid, x-visual-editing, x-base-editing-url, x-cache-tags, x-datocms-trace
access-control-allow-methods: GET, POST, PUT, OPTIONS, DELETE
access-control-allow-origin: https://sitename.admin.datocms.com/
access-control-expose-headers: x-ratelimit-limit, x-ratelimit-remaining, x-ratelimit-reset, x-complexity, x-max-complexity, x-cache-tags
access-control-max-age: 1728000
cache-control: no-cache
cf-cache-status: DYNAMIC
cf-ray: 95e6cac6e6393739-YYZ
connection: keep-alive
content-type: application/json; charset=utf-8
date: Sun, 13 Jul 2025 06:41:00 GMT
referrer-policy: strict-origin-when-cross-origin
server: cloudflare
strict-transport-security: max-age=15552000; includeSubDomains; preload
transfer-encoding: chunked
vary: Accept-Encoding
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-permitted-cross-domain-policies: none
x-queue-time: 0ms
x-request-id: 09f4b295-4f82-4d1b-8c15-b24f5a183330
x-runtime: 0.005380
x-xss-protection: 0
CORS tester was built by @mscccc. The code is available on GitHub. Sponsored by HTML/CSS to Image.