Generally speaking CORS is not available for the NCC APIs as it would expose credentials (api keys or access tokens) directly to the browser, and this could be a large security risk for potentially exposing large quantities of sensitive data.

The availability of CORS is restricted to test-mode api keys and localhost origins using either HTTP or HTTPS protocols. This can be used for ad-hoc initial testing within a browser.

Integrators will need to implement a server-side interface (this may be a simple wrapper) for production usage, to protect their api keys and ensure correct security controls such as restricting bulk data fetching requests.