For security reasons, you must not call the Duffel API directly from a browser-based frontend application - for example a React or Vue.js single-page application (SPA) - or a mobile app.
To help you to avoid this mistake which could compromise the security of your account, we have set up CORS (Cross-Origin Resource Sharing) rules for `api.duffel.com` so browsers will block any questions.
Why can't I call the Duffel API directly from my frontend or app?
In order to send requests to the Duffel API from your frontend - that is, from a user's browser - or app, your user's device will have to have access to your Duffel access token.
Your Duffel access token is like your password for the API. Once someone has that token, they have full access to your account. They can use it to do anything - for example spend your money on flights or look at other customers' bookings in your account.
How should I interact with the Duffel API from my frontend?
That API backend should receive requests from your frontend or app and then make requests to the Duffel API.
That will mean that your backend code is the only place that has the access token, and it controls who does what with the Duffel API.