CORS & origin validation
Neuroon validates each request's Origin differently depending on the endpoint and the credential type. This page is the single source of truth: if any other doc disagrees, this matrix wins.
Canonical matrix (Plugin API)
| Endpoint | Auth | Accepts missing Origin (server-to-server) | Origin must match | How to add a domain |
|---|---|---|---|---|
POST /api/plugin/shops/{shopId}/products/sync | X-Shop-API-Key | ✅ Yes | n/a — only that the API Key belongs to the shop. | n/a |
GET /api/plugin/shops/{shopId}/products | X-Shop-API-Key | ✅ Yes | n/a | n/a |
POST /api/plugin/shops/{shopId}/track/conversion | X-Shop-API-Key | ✅ Yes | n/a | n/a |
POST /api/plugin/shops/{shopId}/verify | X-Shop-API-Key | ✅ Yes | Body domain is compared to shop.url. | Edit shop.url in the dashboard. |
GET /api/plugin/shops/{shopId}/verification-data | X-Shop-API-Key | ✅ Yes | n/a | n/a |
When
Originis present, the backend checks it against the trusted-domain list (neuroon.aiand subdomains,localhost,127.0.0.1) or against theshop.urlregistered in the dashboard. IfOriginis missing (curl, server-to-server), the request is allowed. This makes the endpoints work both from the browser and fromcurl.
The widget embedded in the browser talks to an internal backend using the Widget Token. You don't call those endpoints — the CDN bundle consumes them directly.
Trusted-origin list
Default values:
localhostand127.0.0.1(suffix-match: any subdomain or port).neuroon.ai(suffix-match: includes*.neuroon.ai).- The
shop.urlregistered in the dashboard.
Adding a new domain
- For your primary domain: edit it from the dashboard → your shop → Settings → Storefront URL. The change applies to the next request served.
- For extra domains (staging, branches, marketing domains sharing the widget): open a support ticket with the
shopIdand the domains.
Common errors
| Symptom | Cause | Fix |
|---|---|---|
Browser blocks XHR with CORS error and console shows 403 | The widget is running on a domain that is not in the trusted list nor matches shop.url. | Check shop.url or ask support to add the domain. |
403 DOMAIN_MISMATCH when calling /verify | The domain in the body does not match shop.url. | Edit shop.url in the dashboard and retry. (Body field: {"domain": "..."}, not url.) |
401 when serving the widget from the browser | Token expired, not present in the HTML, or environment mixup (DEV token against api.neuroon.ai). | Re-sign the token (HMAC) on your server and double-check the base URL. |
Further reading
- Authentication · Widget Token — 24 h token signed by your server.
- Authentication · Shop API Key —
sk_…format and rotation. - Recipe · Server-to-server token — caching and rotation pattern.
- Custom · Server-to-server — includes domain verification without the plugin.