Client-Side Requests and CORS

The Decision API supports CORS for AJAX requests. Github's documentation has a good overview of CORS.


If you make client-side requests to the Decision API and expect cookies in the response, you must pass the XHR headers described below.

The CORS preflight request looks like this:

curl -i -H "Origin:" -X OPTIONS
HTTP/1.1 200 OK
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: accept, origin, content-type, content-length
Access-Control-Allow-Methods: GET,PUT,POST,DELETE,OPTIONS
Date: Fri, 09 Jun 2017 20:33:34 GMT
Server: nginx/1.1.19
X-Powered-By: Express
Content-Length: 0
Connection: keep-alive

You must pass withCredentials: true on xhrFields in the request to enable cross-domain requests. See the jQuery example below:

<!DOCTYPE html>
<script src=""></script>
  data: JSON.stringify({
    placements: [
        divName: "testDiv",
        networkId: 23,
        siteId: 667480,
        adTypes: [5]
  dataType: "json",
  method: "POST",
  url: "",
  xhrFields: {
    withCredentials: true
  success: function(data) {
<div id="testDiv">this text will be replaced by an ad</div>

The cookie returned in a response is the azk cookie with a user's User Key as its value. Refer to the User DB documentation for more info.


The cookie will originate from the domain used to make the request. If you use a white-labeled domain to call the Decision API, you should expect cookies from that domain.