The Decision API supports CORS for Fetch requests. Github's documentation has a good overview of CORS.

❗️
If you make client-side requests to the Decision API and expect cookies in the response, you must pass the CORS headers described below.

The CORS preflight request looks like this:

curl -i https://e-23.adzerk.net/api/v2/ -H "Origin: https://example.com/page.html" -X OPTIONS
HTTP/1.1 200 OK
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: accept, origin, content-type, content-length
Access-Control-Allow-Methods: GET,PUT,POST,DELETE,OPTIONS
Access-Control-Allow-Origin: http://example.com/page.html
Date: Fri, 09 Jun 2017 20:33:34 GMT
Server: nginx/1.1.19
X-Powered-By: Express
Content-Length: 0
Connection: keep-alive

You must pass credentials: "include" on the Fetchoptions in the request to enable cross-domain requests. See the Fetch example below:

<!DOCTYPE html>
<script>
fetch("https://e-23.adzerk.net/api/v2", {
  method: "POST",
  credentials: "include",
  headers: {
    "Content-Type": "application/json"
  },
  body: JSON.stringify({
    placements: [
      {
        divName: "testDiv",
        networkId: 23,
        siteId: 667480,
        adTypes: [5]
      }
    ]
  })
})
.then(response => {
  if (!response.ok) {
    throw new Error('Network response was not ok');
  }
  return response.json();
})
.then(data => {
  document.getElementById("testDiv").innerHTML = data.decisions.testDiv.contents[0].body;
})
.catch(error => {
  console.error('There was a problem with the fetch operation:', error);
});
</script>

<div id="testDiv">this text will be replaced by an ad</div>

The cookie returned in a response is the azk cookie with a user's User Key as its value. Refer to the User DB documentation for more info.

📘
The cookie will originate from the domain used to make the request. If you use a white-labeled domain to call the Decision API, you should expect cookies from that domain.