API - Add allowed origin on self-hosted Zammad Server

Hello,
I’m currently implementing the Zammad API into a SaaS-Solution. Basically I want to automatically create a ticket or note, when an exception occurs for a user.


I need a possibility to add allowed origins since the Zammad-Env has its own hosted Server.

I already tried to add the “Access-Control-Allow-Origin” Header in the zammad nginx configuration but that didn’t work unfortunately.

I would be very thankful for some advices.

1 Like

I was able to narrow the problem down further. The Browser sends the Authorization header in the preflight OPTIONS request aswell. This doesnt succeed since it has the auth header with it. Because the preflight failed the actual POST didn’t go through.

Does anyone know what to do so that the preflight excludes the auth header?

Hi @jmayer - welcome to the community!

Zammad sends the Access-Control-Allow-Origin – but not for Token or BasicAuth. How is your authentication implemented?

I wanted to use the token authentication. So I have to switch to OAUTH?
The SaaS is a multi-tenant solution. I just want to use one single Zammad Account for the API-created tickets. Is that possible with OAuth?

You don’t have to use OAUTH to do that.
Token based authentication is perfectly fine.

What you seem to be missing is that your Token is not provided via header.
See: https://docs.zammad.org/en/latest/api/intro.html#http-token-authentication-access-token

This might help you.

I’m providing the token in the header (this is typescript):


And it works as you can see here:

Now the error is, that the authorization header isn’t allowed in a OPTIONS request (preflight check from browser):